Malware Analysis Report

2025-05-05 22:25

Sample ID 231011-ltvk4sgh82
Target Obfuscator.rar
SHA256 62b1ec16a0de37389e6155eb717e2c3690f7ce97776479726f561c7c7cc90996
Tags
persistence agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

62b1ec16a0de37389e6155eb717e2c3690f7ce97776479726f561c7c7cc90996

Threat Level: Shows suspicious behavior

The file Obfuscator.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence agilenet

Obfuscated with Agile.Net obfuscator

Modifies system executable filetype association

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 09:50

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:48

Platform

win7-20230831-en

Max time kernel

257s

Max time network

316s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Implementer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Implementer.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win7-20230831-en

Max time kernel

120s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Injections.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Injections.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

133s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.Rocks.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

118s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\SevenzipLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\SevenzipLib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win7-20230831-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\dnlib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/2952-0-0x0000000000D30000-0x0000000001A5C000-memory.dmp

memory/2952-1-0x00007FFEB3F80000-0x00007FFEB4A41000-memory.dmp

memory/2952-2-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

memory/2952-3-0x000000001C650000-0x000000001C734000-memory.dmp

memory/2952-4-0x000000001C9D0000-0x000000001CA5E000-memory.dmp

memory/2952-5-0x0000000003BD0000-0x0000000003BD8000-memory.dmp

memory/2952-6-0x000000001C8B0000-0x000000001C9B2000-memory.dmp

memory/2952-7-0x000000001D650000-0x000000001DC10000-memory.dmp

memory/2952-8-0x000000001DC10000-0x000000001E230000-memory.dmp

memory/2952-9-0x000000001E330000-0x000000001ED8C000-memory.dmp

memory/2952-10-0x000000001ED90000-0x000000001EDBE000-memory.dmp

memory/2952-11-0x0000000003C00000-0x0000000003C08000-memory.dmp

C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.0.0\x64\ssapihook.dll

MD5 8b003c3f98f8d08968ac5d3c1cc90a60
SHA1 68f8d418638a81839a2ad665909916cda8efe625
SHA256 d52a9c53f510237a194211aa3dc7d0f22f80fcc0593d9d77e0827ba6681b47e9
SHA512 429e97c74b8e45a43d09618972f04ba46a8075867a631543eb7b7cbbb55a719cbe2e0412f3b63b989741e3807d733b2a6f3ecb735278adc5e734e18e297c4015

memory/2952-16-0x00007FFE52470000-0x00007FFE52471000-memory.dmp

memory/2952-17-0x00007FFE52460000-0x00007FFE52461000-memory.dmp

memory/2952-18-0x00007FFE50CB0000-0x00007FFE50CB1000-memory.dmp

memory/2952-19-0x00007FFE52480000-0x00007FFE52481000-memory.dmp

memory/2952-20-0x00007FFE52490000-0x00007FFE52491000-memory.dmp

memory/2952-21-0x00007FFE52500000-0x00007FFE52501000-memory.dmp

memory/2952-22-0x00007FFE524A0000-0x00007FFE524A1000-memory.dmp

memory/2952-23-0x00007FFE524B0000-0x00007FFE524B1000-memory.dmp

memory/2952-24-0x00007FFE524D0000-0x00007FFE524D1000-memory.dmp

memory/2952-25-0x00007FFE524E0000-0x00007FFE524E1000-memory.dmp

memory/2952-26-0x00007FFE524C0000-0x00007FFE524C1000-memory.dmp

memory/2952-27-0x00007FFE524F0000-0x00007FFE524F1000-memory.dmp

memory/2952-28-0x00007FFE52510000-0x00007FFE52511000-memory.dmp

memory/2952-29-0x00007FFE4E2F0000-0x00007FFE4E2F1000-memory.dmp

memory/2952-30-0x00007FFE4E340000-0x00007FFE4E341000-memory.dmp

memory/2952-31-0x00007FFE4E300000-0x00007FFE4E301000-memory.dmp

memory/2952-32-0x00007FFE4E350000-0x00007FFE4E351000-memory.dmp

memory/2952-33-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

memory/2952-34-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

memory/2952-35-0x00007FFEB3F80000-0x00007FFEB4A41000-memory.dmp

memory/2952-36-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

memory/2952-37-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

memory/2952-38-0x000000001C7A0000-0x000000001C7B0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

121s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Vestris.ResourceLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Vestris.ResourceLib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

179s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe"

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\ = "Protect in ASM Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\.asmg\ = "ASM_Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile\shell\ASM Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile\shell\ASM Guard\ = "Protect in ASM Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile\shell\ASM Guard\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile\shell\ASM Guard\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\shell\open C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\shell\open\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile\shell\ASM Guard\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\ = "Protect in ASM Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\exefile\shell\ASM Guard\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\.asmg C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\dllfile C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\ = "ASM Guard project" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\shell\open\ = "Open" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\ASM_Guard\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe

"C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/2924-0-0x0000024E66870000-0x0000024E66EC2000-memory.dmp

memory/2924-1-0x00007FF94BB50000-0x00007FF94C611000-memory.dmp

memory/2924-2-0x0000024E68A20000-0x0000024E68A21000-memory.dmp

memory/2924-3-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-4-0x0000024E68A90000-0x0000024E68A9A000-memory.dmp

memory/2924-5-0x0000024E68AE0000-0x0000024E68AF2000-memory.dmp

memory/2924-6-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-7-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-8-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-9-0x00007FF94BB50000-0x00007FF94C611000-memory.dmp

memory/2924-10-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-11-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-12-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

memory/2924-13-0x0000024E68AB0000-0x0000024E68AC0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win7-20230831-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\AsStrongAsFuck.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\AsStrongAsFuck.exe

"C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\AsStrongAsFuck.exe"

Network

N/A

Files

memory/1644-0-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/1644-1-0x00000000013B0000-0x00000000013C4000-memory.dmp

memory/1644-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win10v2004-20230915-en

Max time kernel

147s

Max time network

166s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\License Agreement.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000044e7540fef135e499edf4eab70c71d2f0000000002000000000010660000000100002000000090305da4e811800825feee5f36ffdf74bc41b37af37fa6b75a1bc70a093dd11f000000000e80000000020000200000007118bef7040ff8e8862733a1b5e74cbe05b9e3b3d77f31bf304bb742bb3f4ca7200000008db6bab925337fc030cde2c0dcc658e2398318de3782acb49de8b24b202ac8bb4000000014ea5e161c47e5ca53e9ddbf1ff9951504e75c22ac32db93540d736833eb4168511f0daa04ca1691d00e16cd0c72cc9dfaacf23629c23e9f5cdb710f4dd00fac C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "58507029" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "58350837" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063130" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401530143" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "58350837" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00fbba8fabe7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000044e7540fef135e499edf4eab70c71d2f00000000020000000000106600000001000020000000ac564603b340007df35ab16e320b846f1000c4e7667909f9d19aaa47dcad92c4000000000e80000000020000200000001131b3d38eff837011fb8ab4fbb31c0dc60c1695ef7365e73b7ab18c0e91b32120000000b32d75a9d87583c01bde21797587c2c82463248e5bd98452f3808fe9e8558d3b40000000cea67902d719994488e41aaa538a39928c757326995e5ac76dea5b8aca7278ce3309feee5466bb1c0232f9f9e3b5feb7a5f2aa7a53f5378d0878e57710f55fef C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063130" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063130" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2085b18fabe7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ECE6BDAC-684C-11EE-9D98-DA5D5E1D8AF4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063130" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "58507029" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\License Agreement.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 dd9a098ac39cc1c2b25c8402ce6d380f
SHA1 d0508db41d940736a17e4cc9e3478af4bb9b92bd
SHA256 08315af11b322cb6c141164ec948831799cf118a4330904adb82804706ebd36f
SHA512 612e6c11f339197a852aa3902da1af7777868a7b93c17611550ec5488211340b501838cde858083f7b6c5ad5ccb05a74e8bebe88a399c9a41dd310660048e6d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3EB0.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Analysis: behavioral24

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

144s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\SevenzipLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\SevenzipLib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:50

Platform

win7-20230831-en

Max time kernel

269s

Max time network

325s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\License Agreement.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98820B70-684D-11EE-8E84-7200988DF339} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000034e05d94bef1d2c9d9e74bbcc365e694eb634bc22ab6749257bea9bca362a834000000000e800000000200002000000072a7b7c73f4bed3005e4e7c5c6b6d555c200c1c880d7629e6e33284c35f82a9290000000ebb81c1238ad5b3348ad22e13d4752bbba98fdd360ec5a0506e470443acd02d6bcdc8bf92b1150d38d88cead130f9dbfbdbb164d82486fce5e1eceb00b571ac3d69ab858c2ec624e41a540f1267c7ab20d2ab6d2726480dc93efb9765a709f83cbb71d5d27265b8edc72654ed18d4c848f3f559156d1dc6469dceb68284d91028ef92a3e0edb7d290ae8caa3736db181400000000d7a4571c652c73271294bc1c94f8768913c89fbe0eec5a6cd85710e5d7ddf7fc275390dc5980972ed5e6a7c83b2b4828151de93243f5e5af33b92c3b2c020c1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0045e4805afcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000d99b5924cdfd8f0e427d23957150f90060819e9f8d6598369eece97f1860f54f000000000e80000000020000200000002f07b134179020c0add5a76e641aed21ca564818702d5e26202c6d5efcbc780e20000000ef81c8763c3a0681cefad6ec68787d42c7626d086382f3ea3821ee36b7ac4c9540000000cf296a174b845de287f8bc9106a13aba50266345a78d4fbdfbac9664cde95f97de6e6ec54dd538b212c88e0bfe5f89771ac584f2eda6ac91caf8458bce61ad69 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403201172" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\License Agreement.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab31E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar10E8.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cea9b53d78879903bc0ed7856f7b67ea
SHA1 59e526018214d7285f92db42f4d5b553d5c4d9c0
SHA256 f47e55edb7f16b8c94b521c4b9808106910c01196500d50b9c611822a147b2bc
SHA512 d81674ec8a1a3c7616068c2fa9b26d86184e5a78b26c63840660e867fb560b40393c1e1c1a352c58d0e2b8bbf6ecc9007984d575fa1325a84495bc7a74ff1554

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baf1ae6818cd0516dee983138dac9dc4
SHA1 1e4d30663f91cd88c3caf1a98f83f15d4f7495a6
SHA256 6d263bfd508fa9047955878bacb3cc7d45a78d92446db90c90ed1e3778b6f110
SHA512 5dd4d820366b9af58c46c3c99420e0d550cc34e0f087e59197480d76e636c7a25b65abe793c3984c401f164f121a1f15fcec1c1775b2c010b4b4e5cf03d16b3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dad98f9cf47eef30e130d47b4c79fd9
SHA1 6b61c08bd728a056b5569442c807afc3cadac868
SHA256 861a22275fe4187d4a5fc86903572491f14cb913a858a0bf19a95b4582e7d14c
SHA512 2cb2b767bbd9b040866e28e492f3c7dffcde86783d2ecc2e4a43d2177dfe4e242d9721d740f69e216e8ca91c1beadeeefd3b594e3ec198d04c20c72e858a893c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3549482d926940f4121ab1d5a79e5f03
SHA1 3aba35330797074551b8c84a0570380a8bff1182
SHA256 56a28b36efbfde3b68261dfd09e9f8d4d9bf226d060bd1dd743ef4daf639636b
SHA512 32942a2bf2462ba17bc38aa3f525514a9369021464e2f1e1c149ad07cb7ea0fdd27d75c678299b0be6ebb060523a3abaefae23ba73cc857e78a19ad478264ed4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aebc53fdeca7f5b3d4671cde53780054
SHA1 7c0072ea63b725a0ce15a4cc3e6ac3591ca9a816
SHA256 bb0088b20a317db1e88ecb4581ca5874258761107ccbdab0173f23d46658b685
SHA512 1ddd5317c54d8504c438ffd49219e1be4f03d14c55c3c7252ecb590056f9c578b76d7a32dc70d1e18dd1e3412d58a35b45aed2a84bd9e089476787fa4470c312

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a3d55e00ff9bbd3b649ac7f193407f4
SHA1 07c63f887ae8aa2f4f24a1d158b55a3239039790
SHA256 54f30d7d7c57cf039c3eebd1b933e367cb901ef044b93b7ce5c878d20cd40dfb
SHA512 5c5dbf85075f35c6641cf81b4f9151618245a931829c88dbf2f3803c99cb07285261eedd8586ec53e6dd846e5faa4791af28a33780e6bf237e95d56f5216ddb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 652eba5a87623b2e00cae7a545031a98
SHA1 b8c4e0a40861e54760f52613d580c3f066cd7280
SHA256 77eb8496037917619b9186b087aac09c9f5b0f15def4fcd6d8d6a27b9cbea4ac
SHA512 7fdd3ac1681550699115f7a13089b7720fc7b7596de5caa3e54f5ddf03133c559cd94199e95c07baec9df566496509f52b27671853c05f52f14495cf86c43b5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4f1cbb9860c38e8da6df6fb7998ef76
SHA1 b60ea814a913dd2781317f71fd170c4932bd4856
SHA256 9f4cac446d157428c3860e7ce8a72541020a8933c5e4275d501f0436408ee3a1
SHA512 3a67c639d8561dd714dd434fff89b93a89152d81c47e84b8b1f5ec99cdbbb5d652bdebca00ce03b16379061d0d991f2e02bb2027c5c6fd06146c019b62f5b32b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e2ff7f6f1ff7627f626bc19af7e1b42
SHA1 d29740f2e5608f35c037b76ada7ba448bc14f924
SHA256 8e2d970041510b4a95ec22037c14ee8d8a45502a89eb0403229c952716897ad7
SHA512 58e32b2b4788bebaca24498e0f412bd244fe463bb609cacd65c7a7db1096a1bc86bc884f9281a0eeb67a5860884472318f055fa11081bc779c0a2aff7e3d2a4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6be052f8a75ac2212f57e800605ad382
SHA1 115dceb46ccb5acadfb37b3fc1c23c88ce185269
SHA256 f9e7c34edc078fcae60f6fac47f627a890e252bde86467e987545bf15d9ca5c0
SHA512 8744832a9234435797692482f272ef2b177f976fa46b58660f1eb5d0a8159b9814ccdc26abecfd8dadbac80c53fbce1f4120d6d64166147f1618b8a001ab3e15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ac202339f4a4c9235219baf729d3af2
SHA1 ee1c9af0aa98534490575960f9f6874773fe1f6d
SHA256 bb461b88e93245e54ae48fa5c5d9446f8ada23116851d39db7102dbbd3dd592a
SHA512 c73aa104c2cb042d4a3df47d88650a546982e8feead9c5a25968418ae9ed4f43f5a9eab72fc5427299900828013bb8985a5f8dff479a9230703aba29f04b5a75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7da19720d8c60aaa022e9d042e8cde82
SHA1 7c7dbcc65db1e3d21f4ea4ec9771eaedf0ed276d
SHA256 1d65303c9361f0adb2a6d793742c44ceff4bda4e7df6e10e126a5840b08361ca
SHA512 7f70860ff9aa2c4b3fe80a209bebcf31a54533e347022cb2d3e4310774d0738dc673f751581abe28fe3f4f27614022bc856c54c2f985c6bb02ce3297a7f1a404

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4aaccfbb1d46f3e57555414b08c6ffb9
SHA1 494369a689ea95dcd0ecdd51ade85f33e8136366
SHA256 21e5bc384ccb545b9385cecad32779cc39cc830751825923d4dda5b7948d0501
SHA512 852b387e32b0a5561b5b79fbaf1c61325a5fd8b75b2aa6346535735c54c86409d05989348605a0d1b7e0600834af2479948cd408b56a97a8c340b37c4524dc6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 473f5284758bcd37c44a0ed679249cc0
SHA1 8ff90b91cea53ada9f1aad2bebac849f47704376
SHA256 01b09ba7c44007e93ebe21d1ffbdf4e74e6171b1a5715aafb010bf415d8aaa01
SHA512 882c1536c5bcdcfb21e5e946c48a3b28087713ba0a210f2ea4ebfece28951b642804b9aedad7aa1d0433d0493dabc6e206628ff40e9ff0e4880e9de9dd947984

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fbb6af46f065f7ae5ef29651e91ec89
SHA1 8586e8d7e7aacd7366038858e98845b1c3f59d9e
SHA256 725fef7ca34a26cc8b0a6e4dfa3d7fa00b060dfb2f06c931a35e9b76b69b9a84
SHA512 604b352ccfe3b851a7e180fde80c420e252c65a91fdccdb113c4ba40ca556422de9055389129efee298410a6e4cdb66527613074da58548ff4502c38be0793fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b51c38d816ea3d9dda78119380e2801b
SHA1 174b6b99a52a5d7ee3daa68678dfca602e6b59a1
SHA256 59dcbcdd16350af0fb96bb23f2db5ccbc0d42b47d245676aa03c6d654ae7b92e
SHA512 aea3cf62a369e69ba0039d4dec535b7ceec380fc83acf95ae64fb080981e8dcb9a3e500b1fadc7b171b36f8591678768a1eb19a78201917caad4c5d44f9e6048

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7f1978133e48e57b0beb4bbbfeab19c
SHA1 8f57bdd195bf548d8b9c157f7a995d8773c41756
SHA256 6e465cca300dfff4eabb84a692c8afece91a107847e98fc0c671b996a73b12cf
SHA512 5c35adc7872ee05bfa14b5fe588584a5ea29c8945adf436c128d1418c8f530851e970f82d408d3ec3f551e3a2dfc0afd9b0bd83af2bf3612fb428a0d481753a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d493356bc4a52944ff6dac5ace64e96
SHA1 912380fc7ecdf3dbf6904606a4d95fed9095ba53
SHA256 65cf58a6fc49e460cab69f206ba621aabdba2cf00151314b7a0acdb0f84dd89d
SHA512 3816c2f398a47d2f2071c2590432d1a8c6ba11bbab11a0f668673b3d1bc8aab3515bcca3a4da97e05c8692e5584642bd8f326cb49d93cbd57c2d7f2907e4fc19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff46964bf7f93b0e8ff5ff18fe7a454e
SHA1 21abb8714b9236fb906f29997f321b64f1a52e20
SHA256 22dd16875226986aecd866fba841a9a95b8dafd781b2ce5c063272bdb2f2b8e5
SHA512 b4825e0d7f44821d3abe02fb2a64527e8aee0d7a729be52e44b9cc3a8bbdc326d57afedf5f87691d0e4e20804536aab6ee97f7b3d0076a8931fed0eea8898b0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3909e40555c75fc11099ed1e9422b902
SHA1 266a6eacdd54133a47bd37757aaac8809189e9be
SHA256 b56e895161bc665cc90acc7f0fe5f7bd1d449a26e6102d5bd96b2b83fc0fc12f
SHA512 3274dd4e075ed3d455317c6b7c5e490f107250d2168bdd55ecb0039d36811d0943121cb41c1db989b421b2647c2bf37f82674ea6837733dc9b8ba82b180dc6fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc4e060c7c963491ad53eaef202f02d4
SHA1 c5e9c55a34ad4e324880782600d92d46ca1d5b51
SHA256 1d98d06c53b15f6d55222b2deaed3e0a3bf77fa83462fce865e3ae5191a3c411
SHA512 844ce6b463c4b51b9075fcaa171f3aa96c60c8a571a8296c5a98a5a0d6378a35ac865f25ec7535a969335cd633f35a887612e28e2907d16934d1c3ed38a8c6cf

Analysis: behavioral31

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:52

Platform

win7-20230831-en

Max time kernel

343s

Max time network

400s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e069e8cc5afcd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000534146cea2c9df2a83ab38a31fda4920d4cd57b555c8b075f6472dd51ba4f116000000000e800000000200002000000012871da567ee01d47fd5da0a0954bc0e5b74ebb0668cc939ae854946b3038c2d900000007451d68aa4f6e217e558b69e881f08134af09f79ed86b1456ec5adc637dbd20babf70f0a114102219d993613a2c4780e49f617253ddceb89f2579cd7aebf462171dae7814569a35cd69170ca3922c6beba7e7cbf711ae233b7f864b6c9fd81408b05b23dc407a4bc66b797ce5451adfe79562112901470d891d8779d2c6ebc6d35b9bc4cbfc1844861e02c86af4ab274400000009fdb141804a8b77efb95e35ce96fe963a4a283bdd0d71842fc42c8119d2b02ebc452cf268cdc8664e187351983be359fe1d5503c58edf13579713190f945c7ca C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403201298" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000b66ac33253dcb686ed7e96f26e2e4781e55e52c6a9bffcd67235df66a2f65899000000000e8000000002000020000000391ca229c6c4ce68dc0090ac6d2f2e57b737c852f05cf737ff0325e389a40bc9200000005c0babeee03c12bf0bc75395bb5ed3982fbe84a15854eb5b239b68377df3773c400000004c25e0bde16979e0943bb2eb41b03f043c320fdf15f7223a02d1b79633c0f2b41c861e0ff5128748e8e86142e152ff8639999d81ec8169579c83d88142ec667f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D2966451-684D-11EE-992B-EEDB236BE57B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\localhost C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 2896 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 2896 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 2896 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 2480 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2480 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2480 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2480 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2820 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2820 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2820 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe

"C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe"

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

"C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:56733/help/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2896-0-0x00000000008B0000-0x0000000000B52000-memory.dmp

memory/2896-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

MD5 db1c91c8d1d7573371cac6a51bf3a1b9
SHA1 291fe96baeeca49fd4271f06b885477de284bf9c
SHA256 a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
SHA512 da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

MD5 db1c91c8d1d7573371cac6a51bf3a1b9
SHA1 291fe96baeeca49fd4271f06b885477de284bf9c
SHA256 a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
SHA512 da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

MD5 db1c91c8d1d7573371cac6a51bf3a1b9
SHA1 291fe96baeeca49fd4271f06b885477de284bf9c
SHA256 a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
SHA512 da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

memory/2896-9-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2480-11-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2480-10-0x0000000000180000-0x0000000000422000-memory.dmp

memory/2480-12-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2480-14-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2480-15-0x0000000000520000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\reactor[1].ico

MD5 1399728083fae334b8d8a6de0aebb821
SHA1 cf2fb4f60cd53565f787164d8b58e05528250078
SHA256 bd98ef83d92712dd1351beeabe7c4223a8ca8ce87ff9d9a5371d006a83578392
SHA512 fb3d073edccc36afd8f76568bc027850e2e27c78104cd6c4a6735ee0d40ddf9c349af6bc613dd84f4f1671ea3fb0baa1d7cf7683abc78cc25cc68cc04fae1de9

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

MD5 2851e29d97e1e237f7281f3ddedce6d4
SHA1 974766e35a81ae1046a929c87d848a0eaf337726
SHA256 28972f7b12040aecc8b851723a5f94d078e5cd648a80a34bcd8a60c9d125ac5a
SHA512 3a95574c69279e00bfadcf87ca3f44b2eda6be4b667f266b8121138b81e85dec11810797a982d03057cb76da9a6a973ac19f511586b6b11826d293ff1b88ea6c

C:\Users\Admin\AppData\Local\Temp\CabF4CC.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarF953.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dd8c69d94181efb00ca493c3349d7d5
SHA1 92e0b1b6d5bf2039a03bf9b4d4a0fc68a8184d53
SHA256 97dd41783f9c986ec4af081bc698e4ef4c469e646641eca05a4d1fbcb9c74844
SHA512 4cfe233fc0f8726d294f294fe198aeda99cf3f9307b33eacf46e292d79e55768c9e84e9c3dc1eef84cddda814b1610425f6f3186a959c180292fa885486974bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca81a50c990c02ca398de60e3a116493
SHA1 4d52d3c57e6bf00709c7ed876882b80836a46557
SHA256 a052ddd5ebf8c600db3b6ea4e50559de9e41ebfab9f8a1923ade2cc59bdc175b
SHA512 5c2f10f0b9a60c7e68cba903966023c9ec7bf0b4734c6bcc87547f7725067910a71e40bf03dd4d5d0bad13c24a3ce195007351995229cbec46204101bdfe2cfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b401f24c23d6903707df5da7791592fa
SHA1 63aad962834d968b57efc12173091e202b957bb4
SHA256 b97ebffb21c3573baa2bbf4596e00d9435696fea0d0e092a0f5fc2f081a64943
SHA512 b81e3c53510c4cfda7804f12e6f2086e6709f196584c1e678dccd64bc63e4feca8f08ee09a8630c389866e6b4a0f3df9e05895cef845384f2fdf08af82cb36e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 214fb53cbf3514c3f969860bdacdb476
SHA1 2cefdf5e44e8e172d62434bc84358a45ea62da46
SHA256 b7cda16aaced4bffcdc8126903feb37d1ec59794f623e05026a051b53b90e630
SHA512 8b2d8363c918f69162e0cf38e20f32763f91f5a1186997853590c94da83fb4f38aba0295f686faaa8ff06cc5f7e11a8c5ff3209a05e20932db7f11c3f5df0e47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cdc2246aafc472d22b7acc8db86e1cc
SHA1 ce0f10edff355f8838e601c69c16c90af0842be4
SHA256 8ad12d104c996abfd66ca956905d67154ba65a6a9262d4e997bbd8a226e941bc
SHA512 bed85fec1adf5e7ab3ba9ddaf8d0ab9b0a73e5b1919adb3425d54c4d91a09e4883792deeb6e9168d456dfe87d94cd7f8e75884bbe4b9b3cd9405b047111c7521

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 719fd9c0c656ca6da770072a7cadbdb9
SHA1 1e7896556cd928471e6dbc7a12f39b53d013ea98
SHA256 70bd75443a6d191e46435c966155c1f356b6149be63c5677c39ec59309c1fc21
SHA512 e950e57a12bcb51406c17c9fc063a4d397e3a4b4296ab6b09c3c6a6a3fb310d91a44c682d0980b1d5417ed6dc9a5aad5a390bb2fe3b437cf5de18f8623713f3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0968b5ad4e995289ae3478eafdff7ffa
SHA1 d5fd59e11addc6707bd0ffbc6da930e59f825683
SHA256 f86fc3dd500e6b5f56346c5c6e9f51e7aca4a94c5c85a6467025e4608db0f621
SHA512 70d96f96e70b810ec8d875104b25e0f3a535ece34ae1648b7bf37e51e9a248daa021e140b0aace0115b7ff34b864f5409fc28ebd1051688761e59fe4ec1f316f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b90b29dc0c52348d3169ea5d334e013f
SHA1 2584d226d1a9c7bb98cc4c7d0bcaa3fc470a00b0
SHA256 2edf3715c83082cddcab7bdd907df569ed2f58495d027eeb1dc88825b96f86df
SHA512 006a7143858cf981a552942f94ef29515ec703032581b234aaf81d1dc958fe99fb9c2394e2793f977f4ec23e53cfea0467a35785c5bc1187031d6cba2ed8f53e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61074a5fce61d2997acb99a27fa7df30
SHA1 58a92d53124a730aaadfe77c193f35310eca3418
SHA256 616e990e2393826df10a9dbe4d9e062fd22c08bcbf547ffa2be71e9ef87b2533
SHA512 d3012691f7470d4fde008b6873175c9ed740d87473e44760fab3317ff574fa5c9809b52491f87073f8fe23466f141b21b48f505676cf25eac8947f5cdde88960

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47303f1f3b6e33ffdcc242663df03e77
SHA1 2799911ada594bff0eb7c72b9dab390b11bba5b8
SHA256 f0a8ccb9bc4d3c1a1dc510b6db65fa6d4160006eb4be87d1fc4520b1925f2456
SHA512 3087a7cde5d6e3a22b931ec419cb9a062862400b24d1d28b1728150e422478e6c88ab23ae7ad4d0ac42abe2174d12be6712516959527e431487b724782836021

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6af29e6e0571331b60e0f838464ece8c
SHA1 932cb5a80581006ad3552f01550932b59e13ac90
SHA256 8c105639a027b77b81e252f441c03281fce33cccb2f6a455b6d3f877b95f2ac5
SHA512 276c9d0f1392d317cdd11440637130358e29b66c15a226aba3629f132101ad34ce6dbc9e64ce78c1b964c595539130cae2bb1ff51480b0c7b01e4894de342751

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49fe343f820af75ec461535d25543bc4
SHA1 a871f8ffa2b4b92ba49c9b3ce19b7e5e2d4a78f1
SHA256 e801a9ac81332420d4d435609198e53365c6926f1c573000243ab4f5302fb0d6
SHA512 be075beeca016ba8d1b59a91fc3594564094937b67f3761282292f0d880d7a294b0c7da2a5d33a735a2efb175f7e88e7af32652d5635b1fbf7755295846b0c6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f702ea41ed4e23b5c0c074105b3d824b
SHA1 1aa99b072dba9a66725305a522ef0b45d28d32b6
SHA256 0a0de9cec527a333a8f30093c4e5d76a60d69406e96d14dcee48002aef128d88
SHA512 3b7b008e46bd80d8da0ec0817e00358ad5056a52a29d7179859f7dda64f615f8a83a56cec875fcbbba700b0412ba4e200079c261a7d6995864f0b95f208c0da8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df9be290d94ec2fbb5fffb13a48c58ca
SHA1 10142d8f881fb55f3bc614962370f667bdcbd80a
SHA256 1b8c8b1ad02354a374beebd84b1b8a793badb0e670e76424b92de05a8e4a3480
SHA512 ad7370a2fd6c438ee57463ba8c753ca1d34c794fc9812438156ecd77146c9949b0c5a87e6ae95ae1d17391f5c64388c14cac6cf6bc4ec9f971ca7df5274100af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bef80853632f5c93bbc38f7bc730556d
SHA1 63339da4449ffc24bd3a52f37e61fc0e04980969
SHA256 f3370f9408149e40e3e3ead2d9c0b30a32afbecb95cc4dcaa5593d814e4770a0
SHA512 75a6e14fbb7ec14b24e15e3f86ca93e200025958fff0104f0fa244e17befca73f49adb09258c001b8b7948d5dac1a692b258b704b8f23ff069f57e8d8247d4f9

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

122s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Helper.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Helper.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:47

Platform

win10v2004-20230915-en

Max time kernel

253s

Max time network

323s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Helper.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Helper.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:51

Platform

win10v2004-20230915-en

Max time kernel

275s

Max time network

489s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Injections.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Injections.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

181s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\dnlib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

119s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\dnlib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win7-20230831-en

Max time kernel

122s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe"

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\ = "Protect in ASM Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile\shell\ASM Guard\ = "Protect in ASM Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\shell\open C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile\shell\ASM Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile\shell\ASM Guard\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile\shell\ASM Guard\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\shell\open\ = "Open" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\exefile\shell\ASM Guard\ = "Protect in ASM Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.asmg C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.asmg\ = "ASM_Guard" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\ = "ASM Guard project" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\ASM_Guard\shell\open\command C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\dllfile\shell\ASM Guard\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ASM-Guard\\ASM.Guard.2.9.1.exe" C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe

"C:\Users\Admin\AppData\Local\Temp\ASM-Guard\ASM.Guard.2.9.1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/1712-1-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/1712-0-0x0000000000B80000-0x00000000011D2000-memory.dmp

memory/1712-2-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1712-3-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-4-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-5-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-6-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/1712-7-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-8-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-9-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-10-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-11-0x000000001BBC0000-0x000000001BC40000-memory.dmp

memory/1712-12-0x000000001BBC0000-0x000000001BC40000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

160s

Max time network

173s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\dnlib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:49

Platform

win7-20230831-en

Max time kernel

240s

Max time network

318s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\LoginTheme.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\LoginTheme.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

122s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

200s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

179s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoObfuscator\CryptoObfuscator.exe"

Network

N/A

Files

memory/3020-0-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/3020-1-0x0000000000CD0000-0x00000000019FC000-memory.dmp

memory/3020-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/3020-3-0x000000001BDD0000-0x000000001BE50000-memory.dmp

memory/3020-4-0x000000001BDD0000-0x000000001BE50000-memory.dmp

memory/3020-5-0x000000001BCB0000-0x000000001BD94000-memory.dmp

memory/3020-6-0x000000001C680000-0x000000001C70E000-memory.dmp

memory/3020-7-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/3020-8-0x000000001C570000-0x000000001C672000-memory.dmp

memory/3020-9-0x000000001CB70000-0x000000001D130000-memory.dmp

memory/3020-10-0x000000001D130000-0x000000001D750000-memory.dmp

memory/3020-11-0x000000001D750000-0x000000001E1AC000-memory.dmp

memory/3020-12-0x000000001E1B0000-0x000000001E1DE000-memory.dmp

memory/3020-13-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/3020-14-0x000000001BDD0000-0x000000001BE50000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

130s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\DotNetPatcher.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\DotNetPatcher.exe

"C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\DotNetPatcher.exe"

Network

N/A

Files

memory/2724-0-0x0000000000D70000-0x0000000000DF2000-memory.dmp

memory/2724-1-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/2724-2-0x0000000000250000-0x0000000000260000-memory.dmp

memory/2724-3-0x000000001A860000-0x000000001A916000-memory.dmp

memory/2724-4-0x0000000000360000-0x00000000003E0000-memory.dmp

memory/2724-5-0x0000000000360000-0x00000000003E0000-memory.dmp

memory/2724-6-0x0000000000360000-0x00000000003E0000-memory.dmp

memory/2724-7-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/2724-8-0x0000000000360000-0x00000000003E0000-memory.dmp

memory/2724-9-0x0000000000360000-0x00000000003E0000-memory.dmp

memory/2724-10-0x0000000000360000-0x00000000003E0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:44

Platform

win10v2004-20230915-en

Max time kernel

133s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\DotNetPatcher.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\DotNetPatcher.exe

"C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\DotNetPatcher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4848-0-0x0000000000170000-0x00000000001F2000-memory.dmp

memory/4848-1-0x00007FFC12260000-0x00007FFC12D21000-memory.dmp

memory/4848-2-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

memory/4848-3-0x000000001B1A0000-0x000000001B256000-memory.dmp

memory/4848-4-0x000000001B160000-0x000000001B170000-memory.dmp

memory/4848-5-0x000000001B160000-0x000000001B170000-memory.dmp

memory/4848-6-0x00007FFC12260000-0x00007FFC12D21000-memory.dmp

memory/4848-7-0x000000001B160000-0x000000001B170000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

108s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Implementer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Implementer.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win10v2004-20230915-en

Max time kernel

136s

Max time network

199s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\LoginTheme.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\LoginTheme.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win7-20230831-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Mono.Cecil.Rocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win10v2004-20230915-en

Max time kernel

162s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 2028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 2028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe
PID 4824 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4824 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 2560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 2560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2148 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe

"C:\Users\Admin\AppData\Local\Temp\NET Reactor v6.9.0.0_fu11\Help\REACTOR_HELP.exe"

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

"C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:56068/help/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd2f546f8,0x7ffcd2f54708,0x7ffcd2f54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,17277724139095299746,1935878031379788658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp

Files

memory/2028-1-0x0000000000B90000-0x0000000000E32000-memory.dmp

memory/2028-0-0x0000000074CC0000-0x0000000075470000-memory.dmp

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

MD5 db1c91c8d1d7573371cac6a51bf3a1b9
SHA1 291fe96baeeca49fd4271f06b885477de284bf9c
SHA256 a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
SHA512 da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REACTOR_HELP.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

MD5 db1c91c8d1d7573371cac6a51bf3a1b9
SHA1 291fe96baeeca49fd4271f06b885477de284bf9c
SHA256 a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
SHA512 da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\Help\1_0_0_38\REACTOR_HELP.exe

MD5 db1c91c8d1d7573371cac6a51bf3a1b9
SHA1 291fe96baeeca49fd4271f06b885477de284bf9c
SHA256 a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
SHA512 da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca

memory/4824-16-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/2028-15-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4824-17-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4824-19-0x00000000029C0000-0x00000000029D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_2148_ISODTOXSEWWUSVUD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ded78e40bbcd58dd641f86bcca2c0667
SHA1 30bb01a3e28909aefc143904144ba73318b1ca90
SHA256 3120a0cd1afc0eb22c6bfdfb4b247a3458d9e90c9570509731cc9c414707408d
SHA512 95427ae7dd2646d587e2ed3cf3469df563ac0cbcc6cff79eb6e72d99ffc0455cf7dd4010c5f7d3ebd718b7fe223e7bd130822c987763836a39dea05178d261b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4824-70-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4824-71-0x0000000004E80000-0x0000000004E90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9b32b049bb58cb2b32b507040bc45a4d
SHA1 7c3f6590ee58743bfd929d55c02958f11079643c
SHA256 01ae05194da32e0384f66784ae6fdbaa3593af0e28e8b54a36c2e77351b6dd65
SHA512 a7d84c3a9e7e2aafcb36328719a64c4e72eb6b44d4bfedb4bc8cf9a8213e1408c88facf6838d9db54bc0ec0a0a0ae017b8c19c8e0c0ebb5108825e751dae4a68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9326a57fda75d5c6c62a023260f40da2
SHA1 53ba9ac11055d5476ea1a239188e7b2cb928bf3e
SHA256 ad53e85e4f6e44aada1a6dfc9b225c7b658f7330abce08b3124a7ce8adb8cab0
SHA512 f6d47065b250dde892dbf600c1874e30121561f46392442c9da60ffc54799e5053ec23d83a3b3075f00c398ae244e3d8e2c49b0d482f813db26bccc94a1411df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6559331e278dfaadeca8b5ce6885f8a3
SHA1 fc544c52e3a6dc875d6a75d4ca1a909f990c3756
SHA256 945c0141c0f20abfa6f4f2f1d476d6aaf5084dab651948fe212d120c1c798aa7
SHA512 3694cff494f6d23f047caa96ce1a6abd135aec656908888cdb07814502f7f7cf9951b841c1ca6154e86e252d39d244375b0ed437271527a7731414402518f5b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2a9cff7a9afec30e58dd21e1c06cfd27
SHA1 0dd83dedd08cd9b790ea2f6f8115072c720496fa
SHA256 5dcf9f0d3095aec508447fed127d80f23835cb0d1f1cffc46f7e901c236ecdc5
SHA512 234d02dd63c362bdfe7a33126c35b0a23d0e47fb36839d7490fb494ed7983a2202b79762cba488f865acb93ad0d967563d9ed60ce390d14f49fcdb752fa26679

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:45

Platform

win10v2004-20230915-en

Max time kernel

162s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\AsStrongAsFuck.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\AsStrongAsFuck.exe

"C:\Users\Admin\AppData\Local\Temp\AsStrongAsFuck\AsStrongAsFuck.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4988-0-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/4988-1-0x0000000000890000-0x00000000008A4000-memory.dmp

memory/4988-2-0x0000000074820000-0x0000000074FD0000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-10-11 09:49

Reported

2023-10-11 15:46

Platform

win10v2004-20230915-en

Max time kernel

102s

Max time network

200s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Vestris.ResourceLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DotNetPatcher4.6.6.7\Vestris.ResourceLib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A