Analysis Overview
SHA256
2b75bafbdbd5788fc4a180cc2270d7e4a1b91d979e8abeaab3b3a9c91e8c55a5
Threat Level: Known bad
The file Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe was found to be: Known bad.
Malicious Activity Summary
Pony family
Azorult
Azorult family
Pony,Fareit
Reads local data of messenger clients
Loads dropped DLL
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Delays execution with timeout.exe
outlook_win_path
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-24 10:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-24 10:52
Reported
2025-03-24 10:53
Platform
win10v2004-20250314-en
Max time kernel
40s
Max time network
41s
Command Line
Signatures
Azorult
Azorult family
Pony family
Pony,Fareit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
keygen-pj.exe -pAevKviq48c
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240628734.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"
C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | upqx.ru | udp |
| RU | 185.180.231.18:80 | upqx.ru | tcp |
| RU | 185.180.231.18:80 | upqx.ru | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
| MD5 | b7da5b5251bfd8f57cbac943155601a9 |
| SHA1 | 133751b2b7a68a92ad1e21417dd4d2b1d44cc2da |
| SHA256 | 023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee |
| SHA512 | 7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
| MD5 | c0f34f38475aa244c9c8696aeed709a5 |
| SHA1 | 0194b56c80c4b5192873400fdc96ce7d8df682a2 |
| SHA256 | 831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046 |
| SHA512 | 15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
| MD5 | 43eb47b71c9f1003adc2d0f108d2679c |
| SHA1 | 5965eb51d289dc79ab56cb995d47f371472d4846 |
| SHA256 | 913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1 |
| SHA512 | 7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl
| MD5 | 302267a8757b88bbe67ed41215aeb525 |
| SHA1 | 4a43c786460832a438121baf5674b76967f5cd71 |
| SHA256 | 00fbce5de0c466e3692934cd8f04b3ce7093ec614ff0f1d92a68b2353160c059 |
| SHA512 | ba5ef89a9bbe3e741e9a3974f7132410333cfd02fd49932e99b4d324eac14c9d6a4c5a03502a4f0ec8cc709e76963db0b718fcd66130a48cfb3f4e5803d8a38c |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
| MD5 | 2fbf80a7ba32f036bb97a2d0d909283c |
| SHA1 | ed00a832320f3806ef3ecacfb54356e55b8e713f |
| SHA256 | aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee |
| SHA512 | a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef |
C:\Users\Admin\AppData\Local\Temp\240628734.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
C:\Users\Admin\AppData\Local\Temp\A11992DE\nss3.dll
| MD5 | 556ea09421a0f74d31c4c0a89a70dc23 |
| SHA1 | f739ba9b548ee64b13eb434a3130406d23f836e3 |
| SHA256 | f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb |
| SHA512 | 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2 |
C:\Users\Admin\AppData\Local\Temp\A11992DE\mozglue.dll
| MD5 | 9e682f1eb98a9d41468fc3e50f907635 |
| SHA1 | 85e0ceca36f657ddf6547aa0744f0855a27527ee |
| SHA256 | 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d |
| SHA512 | 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed |
C:\Users\Admin\AppData\Local\Temp\A11992DE\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
C:\Users\Admin\AppData\Local\Temp\A11992DE\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
memory/2488-152-0x0000000000400000-0x0000000000420000-memory.dmp