Analysis Overview
SHA256
fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d
Threat Level: Known bad
The file 32_94_payment_bv_xls.vhd was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-11 21:44
Signatures
Analysis: behavioral6
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:47
Platform
win10v2004-20230221-en
Max time kernel
109s
Max time network
128s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| EE | 91.193.75.174:9400 | js9400.duckdns.org | tcp |
| US | 8.8.8.8:53 | 174.75.193.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 126.137.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:51
Platform
win10v2004-20230220-en
Max time kernel
359s
Max time network
359s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000060ac268a6d45d9011ad2a9926d45d9013a8341946d45d90114000000 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "11" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\MRUListEx = ffffffff | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\7-Zip\7zG.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\desktop.ini
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\System Volume Information\IndexerVolumeGuid
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap11867:122:7zEvent4637 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\System Volume Information"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap17664:96:7zEvent10106 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.0.1160829406\1123840426" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3014b51d-db30-4d94-a573-0185985f94e9} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 1932 1e4c8fe9e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.1.1878629275\2145342391" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1b87d78-1547-45a6-9a0d-700a63b355c0} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 2332 1e4bc072858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.2.1621658015\961681427" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3048 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f1b635-fa8c-44d0-bd30-83bb2101f26b} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3024 1e4c8f6a858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.3.1445297746\727750789" -childID 2 -isForBrowser -prefsHandle 2364 -prefMapHandle 2380 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d60ab71-c0e6-4a1d-9f4b-c08f57fcc6fa} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3480 1e4bc05ee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.4.828423946\909016699" -childID 3 -isForBrowser -prefsHandle 3920 -prefMapHandle 3952 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3e5358-6549-46fc-9298-620e234cf704} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3964 1e4cdd92b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.7.437410535\1727918844" -childID 6 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29fb50d-0f62-42c8-8145-f089a3bb4a61} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 5252 1e4cf2c3258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.6.513911883\841582796" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a25de54e-6e03-457b-97db-708fc793715e} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 4920 1e4cf0d5d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.5.1414364224\1635760941" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc01d36c-2140-4a3e-8f2b-d3f0f179b20f} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 4868 1e4cf0d4e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.8.404257833\255512352" -parentBuildID 20221007134813 -prefsHandle 5516 -prefMapHandle 5660 -prefsLen 26579 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed26ff3-5b38-477e-a9aa-42e72c12d4f8} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 5632 1e4ce4b3258 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.9.1016232532\2000099049" -childID 7 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9daa2ad-86a0-4bd8-84ee-14ecbf5c9516} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 5808 1e4d135a258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.10.43493990\1524671979" -childID 8 -isForBrowser -prefsHandle 3464 -prefMapHandle 3492 -prefsLen 26771 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88fda308-64c5-4d96-9f36-3376e1273aff} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3524 1e4bc05ee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.11.1732586823\416907492" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6404 -prefMapHandle 8156 -prefsLen 30220 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdf6232b-efbf-45f9-bf89-46b9a3155352} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 8180 1e4bc05fb58 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.12.1876028262\909887689" -childID 9 -isForBrowser -prefsHandle 5036 -prefMapHandle 8020 -prefsLen 30220 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54a3edb-ee95-460a-8b97-629cad4f1682} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 5152 1e4bc05dc58 tab
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.131.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:49778 | tcp | |
| N/A | 127.0.0.1:49785 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 54.202.87.39:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 54.148.219.139:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.87.202.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.9.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.219.148.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 37.158.120.34.in-addr.arpa | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:80 | transfer.sh | tcp |
| DE | 144.76.136.153:80 | transfer.sh | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ghbtns.com | udp |
| US | 172.67.166.11:443 | ghbtns.com | tcp |
| US | 172.67.166.11:443 | ghbtns.com | tcp |
| US | 8.8.8.8:53 | ghbtns.com | udp |
| US | 8.8.8.8:53 | ghbtns.com | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.166.67.172.in-addr.arpa | udp |
| US | 172.67.166.11:443 | ghbtns.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5---sn-aigl6nl7.gvt1.com | udp |
| GB | 173.194.183.202:443 | r5---sn-aigl6nl7.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-aigl6nl7.gvt1.com | udp |
| US | 8.8.8.8:53 | r5.sn-aigl6nl7.gvt1.com | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.183.194.173.in-addr.arpa | udp |
| GB | 173.194.183.202:443 | r5.sn-aigl6nl7.gvt1.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.111.73.144:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.111.73.144:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 34.111.73.144:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 144.73.111.34.in-addr.arpa | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 172.67.166.11:443 | ghbtns.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js
| MD5 | 9971fa8fa89a208685d3e30835832fb5 |
| SHA1 | 5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300 |
| SHA256 | 13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084 |
| SHA512 | 02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | b87ae82ca3aa53df98bb576ba2a3b831 |
| SHA1 | 0282f77c9697b0768bb7fb88ea7a74e115ff5094 |
| SHA256 | 1f744a15b6cd9427deb2f98522e95129650d99becdba02740acbb25f3fe10750 |
| SHA512 | 46ef22301ea530e0b6ea734735390bd0dc552ce8be9d4c80034eccdbd07254c8f5eb2dbed9c837f34b625f822363d010d19ec854de4a90337de6238d6d606c16 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | 82a6b135f1d3e42884a210ffbbb99ac4 |
| SHA1 | 5c2a1b60365edb1ad52f7be7215e229bb3aa5bc7 |
| SHA256 | b84622b6bc2ea2628a3decdf908be1fb7b5ffa52004e1f2f91fa3dfe5ad66dbd |
| SHA512 | 215d9590677e32cdc50238ad68de94dadc2bb60942a947c0aa3e4ff159bcad7814132e9bf4ffc98179be56d6e2f7fb3b013a1bd95b9d817b4b0d2d1585ded533 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | 7ce01ab72de5ee375c2c3fadabb1a500 |
| SHA1 | 8a044e806ca8bca6d06b1bf0dd44d16ad0d66d47 |
| SHA256 | 14a49eef665c8e7b5605ba7c0fff2dd2bc6e75166bc1212081f2eda2f2b22745 |
| SHA512 | 06e219cda8d0c7377d43c28d7a37de7cede7dea6948cd6073e6ccbd4c1eeef409b6a97e91f8fa080345dcfbfa8aa401d91e68bcda6c8e74f57054d84cb3ce676 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 576224577ba209767c04782188ac1303 |
| SHA1 | 8d865fe240b062cc67bc1bd00c0c19bd40d70a81 |
| SHA256 | a5a0e13d79e3683a9b9e2de63e439eb7aa0623911d88c45f50ceb1ea26b5d998 |
| SHA512 | cb6d0a4bf987810fdf0773e393d333b74d20d4c9c23354fe633b3e4a445b553ea29aaaf6c7c9f7143cf6beb385ec4b7c2e8c6e65bb0b0422c8728e76e58365ff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | 5d67cc11aec8ed552d358b53efd762fd |
| SHA1 | 919383ddcc27e02431a81746d2538f6173945133 |
| SHA256 | c3a7d9a5b7e30643aafb3262859713e322f7484bfe1b6bd0bb9b4ed45cc3127d |
| SHA512 | 1fc295c5391f52730baaaa8374ac7ef2dfcc723ab5453f209598a43c24954e723d2ccedabc54a7b3db6eb6dcd672ba48221331fb85818072a1c47b7b556cd91e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 98d3f74ed61a730cf6efd9178be76e36 |
| SHA1 | ce18cef3ad48912700d629e84a48070626a75782 |
| SHA256 | 41e869b605cafc1205006b5b51b3fe8a960a5c907e75abb5133f97ba43838ef6 |
| SHA512 | be526adfe732ef4f5f3244ddc9b88e7bd795d61089c636c14a160dd336f677563677e3b75477b1e0e90280dc9c63340f46d94a92afec8d360eb67f7824d735b9 |
C:\Users\Admin\Desktop\$RECYCLE.BIN.7z
| MD5 | dd5132fe5a8eedfe6bfbd13c43ee39b0 |
| SHA1 | 84624f9c59293534b8358807003766a64ce6f6ba |
| SHA256 | ede2f6b72edcbf71a8304781e1caee45fd35eb6b56031c20594db73f1eefbfb0 |
| SHA512 | 43c0331f4f4af4a6ffc5c988dd87bddabb745970dfd942d1f2b8dd6d0c7cbb0b739a1bc41acf354d1a7ba33eccc9a3f9669d6c6f943d616f1ee93b85f2f675ff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | 123360b742fdae18f42c038c4d4648e2 |
| SHA1 | 766d224a79ad97511ff44696e08199d81d7f5f9d |
| SHA256 | 8ab9b9c361a9a12317c8d52deb0179ebed2c9d4fec189942d7d433b5e82e4d23 |
| SHA512 | 4a1fb3536ad9d9b2d31e0f22725922ab5fd0b681071c04277582081eae18cbbbe9e87263aaafe1a7b8eb771b949744092e3af6ab2ab3acabb8ba50d240b704d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | 3fb46adc253a97f791e24c13e83e94d1 |
| SHA1 | 997a2661d21603988fc27a1a2ce1f543738d6f3b |
| SHA256 | 3a7ad50da85cf5c23521cb7751dabb9aa75cd15123424611b23f09314326c3b6 |
| SHA512 | def8229849aa27767c95f55862711cbdbb30bf58deffc134721959e9f81e4f92618a53218ad79b4b1d553be99ee12b9548f9293133dfc8f153965e06e99bac00 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\entries\184C843EA0B8CD10730CA2564A233632E40FEF45
| MD5 | bd411e3a89e3419b636300e5f8ebefe6 |
| SHA1 | c8ed2dda55490ba1824b53ff806e9e2bde053978 |
| SHA256 | e6ed1922ad279c867fe831c7f7a366e3d427f26dcccc35321e4a110a3baaf34d |
| SHA512 | a66fb84fd2794aeca46573a15ecf378a6bc4cf9db94af6384ef83468881ad71db2979da4692433c3c8b975233b9d158a0a0fc8530d58502c56ea33f558df81a1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | f01d14038e4bbe02d5faacdb801482e0 |
| SHA1 | 9eb00e9b0c3f9dba82fcb0e4488f476bafb21240 |
| SHA256 | b8fe8c837634fa42a56b790d534af2bd77178ec90104ead54ad0de7a38a91dde |
| SHA512 | 999e46dbb9f052828a74d34847933f33dfb90f148f1b2cbe6776bc201b69e1f7435f5776304cc1e20f85d0c8ab3f947795233a415d115eb249568df07a98b781 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\10358
| MD5 | 952df9f0b3a5cf599b9d62e0b17cbff9 |
| SHA1 | f13f4eb2482ac2504bf7204cd95b22cffe82b6ec |
| SHA256 | e160a0993c9021d00fe3db98b6a2901340dad25083e1f69486bd3d9ceac6f016 |
| SHA512 | af350dfaa35363c77c0f50448b062a37360b880f62f5382d3a70db5b182122a39930ff4c5214fb9e62bda24b1e2b8892ae8fb8e6086f61f90caf41db8d539f95 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\29592
| MD5 | b33a0e6ca6c9150e58700aebfdd99f0f |
| SHA1 | ff601ae0b6ae086cf346616d51aca76750d07e00 |
| SHA256 | f8f5d953a7151c76a87791a1fe21ab9889377a922fa8038cdf8fe5c5a0dc4475 |
| SHA512 | b2d38d55c1f053cd5977f00c19601776458a2dd0956938beaef56f82c0308a2bc3bd8b8dba6f4d95646e72f0a941ca46c2256b7f3115204dc8f8904ff131535c |
C:\Users\Admin\Desktop\System Volume Information.7z
| MD5 | 6a7581fe84c84ddee1104cba62c1ef36 |
| SHA1 | b465b07fe8fe19b36f1d12dbf9087adfc7d13952 |
| SHA256 | be98775c0bf62d44ef0e7bdeefd1d05c4b9b5b5092c27559efc9f63bf916f59c |
| SHA512 | 5737cb4912ad89d7927db761ed3a223a5cb497ec8dbafda797ca323157bcb83fb4ffb0ae8532d96f36455f51ee7cb8d3430485037582eb3771e4a1d4ff4b2835 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | aa6b7522a70f06b0b885bbc7d63221ae |
| SHA1 | 10a36774cae5ca0e02e244d82b9682700586b18c |
| SHA256 | cc51434b77fc601d7fcedccfa0b408d86518dfc32c92dcc21078cfe2df105044 |
| SHA512 | 28ecad0ab3acbc93e44ef0ca0306e859607b18c8ebf28b0a846570bb9d3c8e5e2135823d8dc4ee179b29f359b026742d2a45951b65addd75856545b94ccf6eb1 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:47
Platform
win10v2004-20230220-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 20.42.73.24:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 88.221.25.155:80 | tcp | |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:47
Platform
win10v2004-20230220-en
Max time kernel
127s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| EE | 91.193.75.174:9400 | js9400.duckdns.org | tcp |
| US | 8.8.8.8:53 | 37.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.75.193.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 20.189.173.3:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 154.25.221.88.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:48
Platform
win10v2004-20230220-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 13.89.179.10:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 254.55.238.8.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:48
Platform
win10v2004-20230220-en
Max time kernel
113s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 13.107.42.16:443 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:47
Platform
win10v2004-20230220-en
Max time kernel
98s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| EE | 91.193.75.174:9400 | js9400.duckdns.org | tcp |
| US | 8.8.8.8:53 | 174.75.193.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 20.42.65.85:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 254.55.238.8.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:47
Platform
win10v2004-20230220-en
Max time kernel
134s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\desktop.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| JP | 40.79.189.59:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| NL | 95.101.78.106:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-03-11 21:43
Reported
2023-03-11 21:47
Platform
win10v2004-20230220-en
Max time kernel
105s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\IndexerVolumeGuid"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 52.182.141.63:443 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |