Analysis Overview
SHA256
5ede9d9b04706d524af0bf0c923d880fbf84509952e2f66c0b2cd9684cf33498
Threat Level: Known bad
The file Finals-Hack-main.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Stops running service(s)
Creates new service(s)
VMProtect packed file
Checks computer location settings
UPX packed file
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-10 12:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
88s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| GB | 88.221.134.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.227.11:443 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.16.110.114:80 | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.3.187.198:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.3.187.198:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.199.58.43:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 2.17.5.100:80 | tcp | |
| N/A | 2.17.5.100:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.54.110.119:443 | tcp | |
| N/A | 20.3.187.198:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.17:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| N/A | 20.74.47.205:443 | tcp | |
| N/A | 20.74.47.205:443 | tcp | |
| N/A | 20.74.47.205:443 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.232:80 | tcp | |
| N/A | 88.221.135.232:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
121s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\01F3FC5B949F3F17401995A81248637154FAA196.js
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:39
Platform
win7-20231215-en
Max time kernel
87s
Max time network
54s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\045303EF7EAD8BA16789BEC1A684893679CE6C42.js
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0453FDBE339FFAC08D19DC5A3BAA262994C36772.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
151s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{99E121DD-AFB4-11EE-A0B6-56EE10B1B424} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4916 wrote to memory of 4788 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4916 wrote to memory of 4788 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4916 wrote to memory of 4788 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\bookmarks.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 152.199.19.161:443 | tcp | |
| US | 152.199.19.161:443 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
0s
Max time network
136s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99C97191-AFB4-11EE-91A3-4AE60EE50717} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1776 wrote to memory of 1684 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1776 wrote to memory of 1684 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1776 wrote to memory of 1684 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1776 wrote to memory of 1684 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\5823.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
0s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2844 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3008 wrote to memory of 2844 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3008 wrote to memory of 2844 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz"
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231215-en
Max time kernel
161s
Max time network
179s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\01F3FC5B949F3F17401995A81248637154FAA196.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\069AB8E0648CD57EE5B643E9F27C19E121B91993.js
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.89.179.8:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
154s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A909131-AFB4-11EE-AA35-7AB8B57C8E96} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2628 wrote to memory of 4516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2628 wrote to memory of 4516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2628 wrote to memory of 4516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\285.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 92.123.128.191:443 | www.bing.com | tcp |
| US | 92.123.128.191:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 191.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.134.221.88.in-addr.arpa | udp |
| US | 152.199.19.161:443 | tcp | |
| US | 2.17.5.100:80 | tcp | |
| US | 2.17.5.100:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\069AB8E0648CD57EE5B643E9F27C19E121B91993.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
150s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4516 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4516 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe
"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Roaming\driver3.exe
C:\Users\Admin\AppData\Roaming\driver3.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver2.exe
C:\Users\Admin\AppData\Roaming\driver2.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XSVRRPDE"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XSVRRPDE"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 448
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| RU | 89.23.97.199:1445 | 89.23.97.199 | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.97.23.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 20.190.160.22:443 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| DE | 95.179.241.203:443 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| DE | 45.76.89.70:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 95.179.241.203:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| DE | 95.179.241.203:443 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 192.229.221.95:80 | tcp |
Files
memory/4388-9-0x0000023C0FD60000-0x0000023C0FD82000-memory.dmp
memory/4388-10-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp
memory/4388-12-0x0000023C0DF80000-0x0000023C0DF90000-memory.dmp
memory/4388-11-0x0000023C0DF80000-0x0000023C0DF90000-memory.dmp
memory/4388-15-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp
memory/2984-38-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp
memory/2984-37-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp
memory/2984-36-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp
memory/1432-51-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp
memory/1432-53-0x0000025F19B10000-0x0000025F19B20000-memory.dmp
memory/1432-52-0x0000025F19B10000-0x0000025F19B20000-memory.dmp
memory/2984-57-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp
memory/3676-60-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp
memory/3676-62-0x00007FF770A00000-0x00007FF771721000-memory.dmp
memory/3676-61-0x00007FF770A00000-0x00007FF771721000-memory.dmp
memory/376-77-0x000001A308480000-0x000001A308490000-memory.dmp
memory/376-76-0x000001A308480000-0x000001A308490000-memory.dmp
memory/376-75-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp
memory/376-88-0x00007FF456B80000-0x00007FF456B90000-memory.dmp
memory/376-90-0x000001A320EB0000-0x000001A320F65000-memory.dmp
memory/376-91-0x000001A320F70000-0x000001A320F7A000-memory.dmp
memory/376-89-0x000001A308480000-0x000001A308490000-memory.dmp
memory/376-92-0x000001A3210E0000-0x000001A3210FC000-memory.dmp
memory/376-87-0x000001A320E90000-0x000001A320EAC000-memory.dmp
memory/376-93-0x000001A3210C0000-0x000001A3210CA000-memory.dmp
memory/376-96-0x000001A321100000-0x000001A321106000-memory.dmp
memory/376-97-0x000001A321110000-0x000001A32111A000-memory.dmp
memory/3296-104-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3676-115-0x00007FF770A00000-0x00007FF771721000-memory.dmp
memory/1512-116-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-119-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-121-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-123-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-122-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-120-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-118-0x000001F2173B0000-0x000001F2173D0000-memory.dmp
memory/1512-117-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-114-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-113-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-112-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-111-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1512-110-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3296-109-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3296-105-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3296-106-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3296-103-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3296-102-0x0000000140000000-0x000000014000E000-memory.dmp
memory/376-101-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp
memory/376-98-0x000001A308480000-0x000001A308490000-memory.dmp
memory/376-95-0x000001A3210D0000-0x000001A3210D8000-memory.dmp
memory/376-94-0x000001A321120000-0x000001A32113A000-memory.dmp
memory/1432-55-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp
memory/4028-125-0x00007FF782920000-0x00007FF782BDA000-memory.dmp
memory/3508-128-0x0000000000C20000-0x0000000000CA8000-memory.dmp
memory/3508-127-0x0000000000C20000-0x0000000000CA8000-memory.dmp
memory/3508-124-0x0000000000C20000-0x0000000000CA8000-memory.dmp
memory/3508-129-0x0000000003BF0000-0x0000000003FF0000-memory.dmp
memory/3508-131-0x0000000003BF0000-0x0000000003FF0000-memory.dmp
memory/3508-132-0x00007FF8074D0000-0x00007FF8076C5000-memory.dmp
memory/2404-139-0x00000000020B0000-0x00000000024B0000-memory.dmp
memory/2404-140-0x00007FF8074D0000-0x00007FF8076C5000-memory.dmp
memory/2404-145-0x00000000020B0000-0x00000000024B0000-memory.dmp
memory/3508-144-0x0000000003BF0000-0x0000000003FF0000-memory.dmp
memory/2404-143-0x0000000075AD0000-0x0000000075CE5000-memory.dmp
memory/2404-142-0x00000000020B0000-0x00000000024B0000-memory.dmp
memory/2404-138-0x00000000020B0000-0x00000000024B0000-memory.dmp
memory/2404-136-0x00000000004B0000-0x00000000004B9000-memory.dmp
memory/3508-135-0x0000000075AD0000-0x0000000075CE5000-memory.dmp
memory/3508-134-0x0000000003BF0000-0x0000000003FF0000-memory.dmp
memory/3508-130-0x0000000003BF0000-0x0000000003FF0000-memory.dmp
memory/1512-150-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231129-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2872 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2872 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2872 -s 52
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
150s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A4F69B2-AFB4-11EE-AA35-6AA3E029E500} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5300 wrote to memory of 4928 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 5300 wrote to memory of 4928 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 5300 wrote to memory of 4928 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\5823.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5300 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 88.221.134.64:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 152.199.19.161:443 | tcp | |
| FR | 104.115.83.50:443 | tcp | |
| GB | 96.17.178.200:80 | tcp | |
| GB | 96.17.178.200:80 | tcp | |
| GB | 96.17.178.200:80 | tcp | |
| GB | 96.17.178.204:80 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231129-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0074E7EADB9AF6975D36F41996674786A91D38F2.js
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
122s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231215-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0453FDBE339FFAC08D19DC5A3BAA262994C36772.js
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231215-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:38
Platform
win10v2004-20231215-en
Max time kernel
174s
Max time network
223s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| IE | 40.127.169.103:443 | tcp | |
| US | 8.8.8.8:53 | 188.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| GB | 96.17.178.188:80 | tcp | |
| US | 8.8.8.8:53 | 88.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231222-en
Max time kernel
105s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.3.187.198:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 81.198.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
92s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.134.221.88.in-addr.arpa | udp |
| GB | 88.221.134.74:80 | tcp | |
| GB | 88.221.134.74:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp | |
| GB | 88.221.134.74:80 | tcp | |
| GB | 88.221.134.74:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp | |
| N/A | 88.221.134.24:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.24:80 | tcp | |
| N/A | 88.221.134.24:80 | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.134.221.88.in-addr.arpa | udp |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| N/A | 20.74.47.205:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.229.43:443 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.223.36.55:443 | tcp | |
| N/A | 20.223.36.55:443 | tcp | |
| N/A | 20.223.36.55:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 87.248.205.0:80 | tcp | |
| N/A | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| NL | 52.142.223.178:80 | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:38
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
232s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\045303EF7EAD8BA16789BEC1A684893679CE6C42.js
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win7-20231129-en
Max time kernel
1s
Max time network
95s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2848 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2848 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe
"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Roaming\driver3.exe
C:\Users\Admin\AppData\Roaming\driver3.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver2.exe
C:\Users\Admin\AppData\Roaming\driver2.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XSVRRPDE"
C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XSVRRPDE"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| RU | 89.23.97.199:1445 | 89.23.97.199 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
Files
memory/944-4-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/944-7-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/944-6-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp
memory/944-10-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/944-9-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/944-8-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp
memory/944-11-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp
memory/944-5-0x00000000029E0000-0x00000000029E8000-memory.dmp
memory/2368-90-0x0000000077750000-0x0000000077752000-memory.dmp
memory/2368-92-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/2368-88-0x0000000077750000-0x0000000077752000-memory.dmp
memory/2368-86-0x000000013FD70000-0x0000000140A91000-memory.dmp
memory/2368-85-0x0000000077750000-0x0000000077752000-memory.dmp
memory/1196-99-0x000000001B680000-0x000000001B962000-memory.dmp
memory/1196-102-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1196-106-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1196-107-0x000007FEF5800000-0x000007FEF619D000-memory.dmp
memory/2368-114-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/2368-112-0x000000013FD70000-0x0000000140A91000-memory.dmp
memory/1156-120-0x0000000077750000-0x0000000077752000-memory.dmp
memory/1168-125-0x0000000001500000-0x0000000001580000-memory.dmp
memory/1168-124-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp
memory/1168-128-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp
memory/2032-135-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2632-140-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1156-143-0x000000013F600000-0x0000000140321000-memory.dmp
memory/1156-145-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/2632-148-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2632-152-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-153-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-154-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-151-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-150-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-147-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-146-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-144-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-142-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2632-141-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-137-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2632-139-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2032-134-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2032-133-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2032-132-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2032-131-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1168-130-0x000000000150B000-0x0000000001572000-memory.dmp
memory/1168-129-0x0000000001500000-0x0000000001580000-memory.dmp
memory/1168-127-0x0000000001500000-0x0000000001580000-memory.dmp
memory/1168-126-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp
memory/1156-122-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/1156-121-0x000000013F600000-0x0000000140321000-memory.dmp
memory/1156-117-0x000000013F600000-0x0000000140321000-memory.dmp
memory/1196-105-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1196-104-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1196-103-0x000007FEF5800000-0x000007FEF619D000-memory.dmp
memory/1196-101-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/1196-100-0x000007FEF5800000-0x000007FEF619D000-memory.dmp
memory/1856-161-0x000000013FD70000-0x000000014002A000-memory.dmp
memory/1760-164-0x00000000000D0000-0x0000000000158000-memory.dmp
memory/1760-163-0x00000000000D0000-0x0000000000158000-memory.dmp
memory/1760-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1760-159-0x00000000000D0000-0x0000000000158000-memory.dmp
memory/1760-157-0x00000000000D0000-0x0000000000158000-memory.dmp
memory/1760-166-0x0000000003040000-0x0000000003440000-memory.dmp
memory/1760-168-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/1760-174-0x0000000003040000-0x0000000003440000-memory.dmp
memory/2864-177-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/2864-179-0x0000000001E00000-0x0000000002200000-memory.dmp
memory/2864-181-0x00000000775A0000-0x0000000077749000-memory.dmp
memory/2864-182-0x0000000001E00000-0x0000000002200000-memory.dmp
memory/2864-180-0x0000000076170000-0x00000000761B7000-memory.dmp
memory/2864-176-0x0000000001E00000-0x0000000002200000-memory.dmp
memory/2864-172-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1760-171-0x0000000076170000-0x00000000761B7000-memory.dmp
memory/1760-170-0x0000000003040000-0x0000000003440000-memory.dmp
memory/1760-167-0x0000000003040000-0x0000000003440000-memory.dmp
memory/1760-165-0x0000000003040000-0x0000000003440000-memory.dmp
memory/2632-183-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
0s
Max time network
146s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9923FA31-AFB4-11EE-B0F5-76D8C56D161B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2536 wrote to memory of 2208 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2536 wrote to memory of 2208 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2536 wrote to memory of 2208 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2536 wrote to memory of 2208 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\bookmarks.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:37
Platform
win7-20231215-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000f8d9ec13190a2f5fdc4e1ca8575516daa7123baf6ca025dd9e4f5226f45870b7000000000e8000000002000020000000b9ea8feff7d24ed48b41cac0b9afc2a28de66b9c3269ded5ac16a21031952f7420000000682a4cdca27a26035c5d0bd8a92c55816fd8e239449a0955eb398d5962af829640000000d25746275ff538795f8abaac16aa761416dcc74342f83b8ff06f4ed6809543fef49011bff8558b000aebbdbe8869036660db121815a6cce35752fa87e62c4ffb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411051967" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AB54891-AFB4-11EE-AA51-EEC5CD00071E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000000b8ab590ed60c6e6fe1ad65a58cd186f7c016c72f7c5844fa6fa379905ac63eb000000000e8000000002000020000000947b1b5b07d6a7d4d130c6befa948cbbda0c2020ceaf6cf1710a7daa41b8643790000000b7e59a8e49c016d5c006eb300675fcfc1b751388b67cc3e853e1b2089f9beead6e0b969597b56f0e8cb55b2d4699cba44d714aeb8189010dcc2d2e1f2fb71681134c21318b0bb4ff39af00ffc80c5ada06bf36455e2032b69fc510941706b291157dfdad10676c806d26c28756de4d03725f1dd7844b45aea6acdabc186e17c160ec23ca90d3d9c7e34026b1ed6c8d6e40000000097fef09d39259ad786b503374ed04f9404e500cb45ae3c0bf102f214cdcc4efba364ffbc587c45e299e580055303421f55ca3ac70a8c265c35e3552699872ae | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8078ed74c143da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2544 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2320 wrote to memory of 2544 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2320 wrote to memory of 2544 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2320 wrote to memory of 2544 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\285.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab932C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar94D6.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fca1ce9610e5f1a632236ff18923f81 |
| SHA1 | 162146d94c4b292208d821c759e2e52e93662b6e |
| SHA256 | 1c6484b82ea2ea876cb2b138d9d47ee0a05ccefbdc56a0cb8122dbdd3634347f |
| SHA512 | cd71f96e1afa8463c3f047b138b8d4ac9261fce609e0707c08c3a339f4fab3238e880d27d628092cfe1a7798c736aac880875714460d8aa7943cac4b1d146a1f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b927eb9f98c0550275f1bc79ae54e383 |
| SHA1 | 7143d54becac2013677e2e7d2f43d9360633e850 |
| SHA256 | a1bf935c2136f7c9ba26dc939adbde8258f2feb2fccd89464c396f8b276de27b |
| SHA512 | 8051ff1368876f0385c2cff365c933f6d5fcdc7029471278c44fbe024fda028b7b723d3cea214c86d9d34344c043419e6b14976eb9c2c8d828419ddbd5a32d3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e372e125c17fba8cb72a1fabdfaf158a |
| SHA1 | f4747e1bf85a2182e861ee9167bada6bde63571c |
| SHA256 | ca1099fc7ef60af5207e218e997583068023182dcd4b770852fcf1a6264b6954 |
| SHA512 | bc3cbff692ebafa1cef3b2bb74b00a3d17351d9ba7335e4cc0a3f3fdd7d173dfe6ab18002118434aeb094d94b7ff9c229b44d042a1ac3c50b9d047a02f03719c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20914347c8b676160006f26ebb1a6cdf |
| SHA1 | 8063a7566a5f1a35160bc6abfce24f623bb15f0c |
| SHA256 | 0b6a77240e84632d23528004bc90a8216960db582e1895aab1ba9e752f602b06 |
| SHA512 | 49284c6cb930e647676415a9c8771dfbd24e5194f4f298d848d6b093abe69bc4403755f39d8f2f4fa5a238301fa8c313064a56cb0b852a156872f13fd27fc734 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05bc723fdfa3c1dad05c0a2ea8b6453c |
| SHA1 | 39659c7e6e2a7799212233bd79dfb9ca2679a4ee |
| SHA256 | c1530bfb340c46cc67285359b4b9ddf8b2bc8269ecec16a1319d660dfbefe064 |
| SHA512 | 6207fd359832a8c97c312bd599449a97a03c94c04cf88b570f54729473c7e535842f88030e8252c41a0cc8f5787c24c3223c6f83d0b445589ddc10ed30490478 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1744a9134d38285f2d527b2b757b91c |
| SHA1 | 881a60d220e72da018a571940a4b4aa9e57288a6 |
| SHA256 | c4c7ac88d8f358bf93ae96a65b3686b37ac26e7cb8f3a8a329cefc09ce897d44 |
| SHA512 | 866ddb83692d97c1a7ac09e223848f7cedae634e26569233f9973194ed64f81580d3bdc6cb9ed73fb0cdbefcf172af59d077345595563e092cb36c5b7883eeaf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0298994044b8093be9886aa82a9a2aa7 |
| SHA1 | 77b75b3e209c18c7d76e1940f5151e729d707355 |
| SHA256 | e6fddb3b206a8e124429ba086c66a5e9a1942ce00e7e41124d8c6445e1ec1abe |
| SHA512 | 2902181645816c3875b33c1dc7540afbc189dd58f5f511f1968b338c0db3c4c5aea654d3799a8511461728e863851c45927d6ed9571df5c704704e607f60c115 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 486306f4995c74019dff3a11da7f1388 |
| SHA1 | a01de6088e8fe590de74c20ec531502f2fcda625 |
| SHA256 | d74e5b0fdbb3eb7405f2be443d296920d555ce0329efb86cf9fac01e1dce8131 |
| SHA512 | 249c0ec41f0b3e731e1c84747b0564eb252e2a0fa8fe13e7eed44f8ccc1d77bd77aea04755a1dbbdf3fb24ee622e12455f9de82d70c7b90d2ccbe95098319859 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26e8022f0374723d04fdbe66c67f3bc9 |
| SHA1 | 7ba6cde8b24d2772b05270a44b3c596a901c00ec |
| SHA256 | 11db6dfb7460f078f4a4e2cae564a5202eb0f87fcaeacd6f8368e525ed9ef9cd |
| SHA512 | 26d4c4db2a8dfb0a952a2c3cb3156b3949fe19bb73f669e9365dd9b9967e02481a6a24fb1321f677ed11d6a27b05fda2391bd993831201e031b4f5eea9a486de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14383e3021dd3690722d2f501e5b46eb |
| SHA1 | 2afb26d5eb22daa0779f5701e01abda15ec9f79b |
| SHA256 | b8f687f8665b3d3ff8c275a9d8b70d8331f0e19a865db176aa9fc5c7474bf4cd |
| SHA512 | f9a93fa08e2fa09f8d37821f09a72db64ce0a9399bfba8be201a903fd569348db0feccdb9f17fa8117aa995aae79e3c46494f82818c815d3c0e101cc36e48fb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d5f7177b0c51ec2b231d33de8fbb1917 |
| SHA1 | 6936b8c9d77d0d372545f4536cbec90d2cd7ec6d |
| SHA256 | a368f41f251fb4573c05459a4b22b95552a0ece74a80e22b5c8d35567c5867b3 |
| SHA512 | 45a5b244adf5ed81d07311ef70f6f1389f726f2fb36837dab2e24984fc36182949776f328622713cce0112d2a40014f30159db62d15322bf9dbc3b4860b742ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d03799ed526857a9113caae9efa0f3ea |
| SHA1 | 69c26db60e846971b01cea2ec0922c492e855f67 |
| SHA256 | df1facff7e9aee8f0cfc4b88add3312677f9ab88682cb6b3e720a9ecca2d5585 |
| SHA512 | 86d2549fdec7519133378770b4e0692e50b2ca7c4869c76d3aaed5b499de939a68fa1f4e5d71adea60b22eac9ebe56faaa9a6008479a9229110c2aff6d49f1fc |
Analysis: behavioral12
Detonation Overview
Submitted
2024-01-10 12:29
Reported
2024-01-10 12:36
Platform
win10v2004-20231222-en
Max time kernel
125s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0074E7EADB9AF6975D36F41996674786A91D38F2.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 192.229.221.95:80 | tcp | |
| N/A | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.31.169.57:443 | tcp | |
| N/A | 20.31.169.57:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 4.231.128.59:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.124.78.146:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 4.231.128.59:443 | tcp | |
| N/A | 4.231.128.59:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |