Malware Analysis Report

2025-08-05 21:10

Sample ID 240110-pnzjnagbb4
Target Finals-Hack-main.zip
SHA256 5ede9d9b04706d524af0bf0c923d880fbf84509952e2f66c0b2cd9684cf33498
Tags
xmrig evasion miner persistence upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ede9d9b04706d524af0bf0c923d880fbf84509952e2f66c0b2cd9684cf33498

Threat Level: Known bad

The file Finals-Hack-main.zip was found to be: Known bad.

Malicious Activity Summary

xmrig evasion miner persistence upx vmprotect

xmrig

XMRig Miner payload

Stops running service(s)

Creates new service(s)

VMProtect packed file

Checks computer location settings

UPX packed file

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-10 12:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

88s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.227.11:443 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 96.16.110.114:80 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

119s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 93.184.221.240:80 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 udp
N/A 20.199.58.43:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 2.17.5.100:80 tcp
N/A 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 96.17.178.204:80 tcp
N/A 20.74.47.205:443 tcp
N/A 20.74.47.205:443 tcp
N/A 20.74.47.205:443 tcp
GB 96.17.178.204:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.232:80 tcp
N/A 88.221.135.232:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

121s

Max time network

141s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\01F3FC5B949F3F17401995A81248637154FAA196.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\01F3FC5B949F3F17401995A81248637154FAA196.js

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:39

Platform

win7-20231215-en

Max time kernel

87s

Max time network

54s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\045303EF7EAD8BA16789BEC1A684893679CE6C42.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\045303EF7EAD8BA16789BEC1A684893679CE6C42.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\0453FDBE339FFAC08D19DC5A3BAA262994C36772.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\0453FDBE339FFAC08D19DC5A3BAA262994C36772.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\bookmarks.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{99E121DD-AFB4-11EE-A0B6-56EE10B1B424} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\bookmarks.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 152.199.19.161:443 tcp
US 152.199.19.161:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

0s

Max time network

136s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\5823.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99C97191-AFB4-11EE-91A3-4AE60EE50717} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\5823.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

0s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3008 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3008 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231215-en

Max time kernel

161s

Max time network

179s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\01F3FC5B949F3F17401995A81248637154FAA196.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\01F3FC5B949F3F17401995A81248637154FAA196.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\069AB8E0648CD57EE5B643E9F27C19E121B91993.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\069AB8E0648CD57EE5B643E9F27C19E121B91993.js

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 udp
N/A 13.89.179.8:443 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

154s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\285.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A909131-AFB4-11EE-AA35-7AB8B57C8E96} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\285.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 92.123.128.191:443 www.bing.com tcp
US 92.123.128.191:443 www.bing.com tcp
US 8.8.8.8:53 191.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 152.199.19.161:443 tcp
US 2.17.5.100:80 tcp
US 2.17.5.100:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

118s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\069AB8E0648CD57EE5B643E9F27C19E121B91993.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\069AB8E0648CD57EE5B643E9F27C19E121B91993.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe

"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Roaming\driver3.exe

C:\Users\Admin\AppData\Roaming\driver3.exe

C:\Users\Admin\AppData\Roaming\driver1.exe

C:\Users\Admin\AppData\Roaming\driver1.exe

C:\Users\Admin\AppData\Roaming\driver2.exe

C:\Users\Admin\AppData\Roaming\driver2.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe

C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XSVRRPDE"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XSVRRPDE"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 448

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
RU 89.23.97.199:1445 89.23.97.199 tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 199.97.23.89.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 20.190.160.22:443 tcp
US 138.91.171.81:80 tcp
NL 52.142.223.178:80 tcp
DE 95.179.241.203:443 tcp
US 20.231.121.79:80 tcp
DE 45.76.89.70:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 95.179.241.203:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 138.91.171.81:80 tcp
DE 95.179.241.203:443 tcp
GB 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 192.229.221.95:80 tcp
US 192.229.221.95:80 tcp

Files

memory/4388-9-0x0000023C0FD60000-0x0000023C0FD82000-memory.dmp

memory/4388-10-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

memory/4388-12-0x0000023C0DF80000-0x0000023C0DF90000-memory.dmp

memory/4388-11-0x0000023C0DF80000-0x0000023C0DF90000-memory.dmp

memory/4388-15-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

memory/2984-38-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp

memory/2984-37-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp

memory/2984-36-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp

memory/1432-51-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

memory/1432-53-0x0000025F19B10000-0x0000025F19B20000-memory.dmp

memory/1432-52-0x0000025F19B10000-0x0000025F19B20000-memory.dmp

memory/2984-57-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp

memory/3676-60-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp

memory/3676-62-0x00007FF770A00000-0x00007FF771721000-memory.dmp

memory/3676-61-0x00007FF770A00000-0x00007FF771721000-memory.dmp

memory/376-77-0x000001A308480000-0x000001A308490000-memory.dmp

memory/376-76-0x000001A308480000-0x000001A308490000-memory.dmp

memory/376-75-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

memory/376-88-0x00007FF456B80000-0x00007FF456B90000-memory.dmp

memory/376-90-0x000001A320EB0000-0x000001A320F65000-memory.dmp

memory/376-91-0x000001A320F70000-0x000001A320F7A000-memory.dmp

memory/376-89-0x000001A308480000-0x000001A308490000-memory.dmp

memory/376-92-0x000001A3210E0000-0x000001A3210FC000-memory.dmp

memory/376-87-0x000001A320E90000-0x000001A320EAC000-memory.dmp

memory/376-93-0x000001A3210C0000-0x000001A3210CA000-memory.dmp

memory/376-96-0x000001A321100000-0x000001A321106000-memory.dmp

memory/376-97-0x000001A321110000-0x000001A32111A000-memory.dmp

memory/3296-104-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3676-115-0x00007FF770A00000-0x00007FF771721000-memory.dmp

memory/1512-116-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-119-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-121-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-123-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-122-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-120-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-118-0x000001F2173B0000-0x000001F2173D0000-memory.dmp

memory/1512-117-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-114-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-113-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-112-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-111-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1512-110-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3296-109-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3296-105-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3296-106-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3296-103-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3296-102-0x0000000140000000-0x000000014000E000-memory.dmp

memory/376-101-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

memory/376-98-0x000001A308480000-0x000001A308490000-memory.dmp

memory/376-95-0x000001A3210D0000-0x000001A3210D8000-memory.dmp

memory/376-94-0x000001A321120000-0x000001A32113A000-memory.dmp

memory/1432-55-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

memory/4028-125-0x00007FF782920000-0x00007FF782BDA000-memory.dmp

memory/3508-128-0x0000000000C20000-0x0000000000CA8000-memory.dmp

memory/3508-127-0x0000000000C20000-0x0000000000CA8000-memory.dmp

memory/3508-124-0x0000000000C20000-0x0000000000CA8000-memory.dmp

memory/3508-129-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

memory/3508-131-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

memory/3508-132-0x00007FF8074D0000-0x00007FF8076C5000-memory.dmp

memory/2404-139-0x00000000020B0000-0x00000000024B0000-memory.dmp

memory/2404-140-0x00007FF8074D0000-0x00007FF8076C5000-memory.dmp

memory/2404-145-0x00000000020B0000-0x00000000024B0000-memory.dmp

memory/3508-144-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

memory/2404-143-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

memory/2404-142-0x00000000020B0000-0x00000000024B0000-memory.dmp

memory/2404-138-0x00000000020B0000-0x00000000024B0000-memory.dmp

memory/2404-136-0x00000000004B0000-0x00000000004B9000-memory.dmp

memory/3508-135-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

memory/3508-134-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

memory/3508-130-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

memory/1512-150-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231129-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2872 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2872 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2872 -s 52

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\5823.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A4F69B2-AFB4-11EE-AA35-6AA3E029E500} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\5823.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5300 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 88.221.134.64:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
US 152.199.19.161:443 tcp
FR 104.115.83.50:443 tcp
GB 96.17.178.200:80 tcp
GB 96.17.178.200:80 tcp
GB 96.17.178.200:80 tcp
GB 96.17.178.204:80 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\0074E7EADB9AF6975D36F41996674786A91D38F2.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\0074E7EADB9AF6975D36F41996674786A91D38F2.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

122s

Max time network

137s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231215-en

Max time kernel

119s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\0453FDBE339FFAC08D19DC5A3BAA262994C36772.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\0453FDBE339FFAC08D19DC5A3BAA262994C36772.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231215-en

Max time kernel

119s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231215-en

Max time kernel

121s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:38

Platform

win10v2004-20231215-en

Max time kernel

174s

Max time network

223s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

142s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
IE 40.127.169.103:443 tcp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
GB 96.17.178.188:80 tcp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231222-en

Max time kernel

105s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 81.198.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

92s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 74.134.221.88.in-addr.arpa udp
GB 88.221.134.74:80 tcp
GB 88.221.134.74:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
GB 88.221.134.74:80 tcp
GB 88.221.134.74:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
N/A 88.221.134.24:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.24:80 tcp
N/A 88.221.134.24:80 tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
US 93.184.221.240:80 tcp
N/A 20.74.47.205:443 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.43:443 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
N/A 20.223.36.55:443 tcp
N/A 20.223.36.55:443 tcp
N/A 20.223.36.55:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 87.248.205.0:80 tcp
N/A 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
NL 52.142.223.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.178:80 tcp
GB 96.17.178.178:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 udp
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:38

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

232s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\045303EF7EAD8BA16789BEC1A684893679CE6C42.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\profile\cache2\entries\045303EF7EAD8BA16789BEC1A684893679CE6C42.js

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win7-20231129-en

Max time kernel

1s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"

Signatures

Creates new service(s)

persistence

Stops running service(s)

evasion

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe

"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Roaming\driver3.exe

C:\Users\Admin\AppData\Roaming\driver3.exe

C:\Users\Admin\AppData\Roaming\driver1.exe

C:\Users\Admin\AppData\Roaming\driver1.exe

C:\Users\Admin\AppData\Roaming\driver2.exe

C:\Users\Admin\AppData\Roaming\driver2.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XSVRRPDE"

C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe

C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XSVRRPDE"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
RU 89.23.97.199:1445 89.23.97.199 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
DE 95.179.241.203:443 pool.hashvault.pro tcp
DE 45.76.89.70:443 pool.hashvault.pro tcp
DE 95.179.241.203:443 pool.hashvault.pro tcp

Files

memory/944-4-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/944-7-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/944-6-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

memory/944-10-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/944-9-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/944-8-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

memory/944-11-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

memory/944-5-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/2368-90-0x0000000077750000-0x0000000077752000-memory.dmp

memory/2368-92-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/2368-88-0x0000000077750000-0x0000000077752000-memory.dmp

memory/2368-86-0x000000013FD70000-0x0000000140A91000-memory.dmp

memory/2368-85-0x0000000077750000-0x0000000077752000-memory.dmp

memory/1196-99-0x000000001B680000-0x000000001B962000-memory.dmp

memory/1196-102-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1196-106-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1196-107-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/2368-114-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/2368-112-0x000000013FD70000-0x0000000140A91000-memory.dmp

memory/1156-120-0x0000000077750000-0x0000000077752000-memory.dmp

memory/1168-125-0x0000000001500000-0x0000000001580000-memory.dmp

memory/1168-124-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

memory/1168-128-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

memory/2032-135-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2632-140-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1156-143-0x000000013F600000-0x0000000140321000-memory.dmp

memory/1156-145-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/2632-148-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2632-152-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-153-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-154-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-151-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-150-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-147-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-146-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-144-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-142-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2632-141-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2032-137-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2632-139-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2032-134-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2032-133-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2032-132-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2032-131-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1168-130-0x000000000150B000-0x0000000001572000-memory.dmp

memory/1168-129-0x0000000001500000-0x0000000001580000-memory.dmp

memory/1168-127-0x0000000001500000-0x0000000001580000-memory.dmp

memory/1168-126-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

memory/1156-122-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/1156-121-0x000000013F600000-0x0000000140321000-memory.dmp

memory/1156-117-0x000000013F600000-0x0000000140321000-memory.dmp

memory/1196-105-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1196-104-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/1196-103-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1196-101-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/1196-100-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1856-161-0x000000013FD70000-0x000000014002A000-memory.dmp

memory/1760-164-0x00000000000D0000-0x0000000000158000-memory.dmp

memory/1760-163-0x00000000000D0000-0x0000000000158000-memory.dmp

memory/1760-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1760-159-0x00000000000D0000-0x0000000000158000-memory.dmp

memory/1760-157-0x00000000000D0000-0x0000000000158000-memory.dmp

memory/1760-166-0x0000000003040000-0x0000000003440000-memory.dmp

memory/1760-168-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/1760-174-0x0000000003040000-0x0000000003440000-memory.dmp

memory/2864-177-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/2864-179-0x0000000001E00000-0x0000000002200000-memory.dmp

memory/2864-181-0x00000000775A0000-0x0000000077749000-memory.dmp

memory/2864-182-0x0000000001E00000-0x0000000002200000-memory.dmp

memory/2864-180-0x0000000076170000-0x00000000761B7000-memory.dmp

memory/2864-176-0x0000000001E00000-0x0000000002200000-memory.dmp

memory/2864-172-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1760-171-0x0000000076170000-0x00000000761B7000-memory.dmp

memory/1760-170-0x0000000003040000-0x0000000003440000-memory.dmp

memory/1760-167-0x0000000003040000-0x0000000003440000-memory.dmp

memory/1760-165-0x0000000003040000-0x0000000003440000-memory.dmp

memory/2632-183-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

0s

Max time network

146s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\bookmarks.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9923FA31-AFB4-11EE-B0F5-76D8C56D161B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\bookmarks.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:37

Platform

win7-20231215-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\285.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000f8d9ec13190a2f5fdc4e1ca8575516daa7123baf6ca025dd9e4f5226f45870b7000000000e8000000002000020000000b9ea8feff7d24ed48b41cac0b9afc2a28de66b9c3269ded5ac16a21031952f7420000000682a4cdca27a26035c5d0bd8a92c55816fd8e239449a0955eb398d5962af829640000000d25746275ff538795f8abaac16aa761416dcc74342f83b8ff06f4ed6809543fef49011bff8558b000aebbdbe8869036660db121815a6cce35752fa87e62c4ffb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411051967" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AB54891-AFB4-11EE-AA51-EEC5CD00071E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000000b8ab590ed60c6e6fe1ad65a58cd186f7c016c72f7c5844fa6fa379905ac63eb000000000e8000000002000020000000947b1b5b07d6a7d4d130c6befa948cbbda0c2020ceaf6cf1710a7daa41b8643790000000b7e59a8e49c016d5c006eb300675fcfc1b751388b67cc3e853e1b2089f9beead6e0b969597b56f0e8cb55b2d4699cba44d714aeb8189010dcc2d2e1f2fb71681134c21318b0bb4ff39af00ffc80c5ada06bf36455e2032b69fc510941706b291157dfdad10676c806d26c28756de4d03725f1dd7844b45aea6acdabc186e17c160ec23ca90d3d9c7e34026b1ed6c8d6e40000000097fef09d39259ad786b503374ed04f9404e500cb45ae3c0bf102f214cdcc4efba364ffbc587c45e299e580055303421f55ca3ac70a8c265c35e3552699872ae C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8078ed74c143da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\profile\cache2\doomed\285.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab932C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar94D6.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fca1ce9610e5f1a632236ff18923f81
SHA1 162146d94c4b292208d821c759e2e52e93662b6e
SHA256 1c6484b82ea2ea876cb2b138d9d47ee0a05ccefbdc56a0cb8122dbdd3634347f
SHA512 cd71f96e1afa8463c3f047b138b8d4ac9261fce609e0707c08c3a339f4fab3238e880d27d628092cfe1a7798c736aac880875714460d8aa7943cac4b1d146a1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b927eb9f98c0550275f1bc79ae54e383
SHA1 7143d54becac2013677e2e7d2f43d9360633e850
SHA256 a1bf935c2136f7c9ba26dc939adbde8258f2feb2fccd89464c396f8b276de27b
SHA512 8051ff1368876f0385c2cff365c933f6d5fcdc7029471278c44fbe024fda028b7b723d3cea214c86d9d34344c043419e6b14976eb9c2c8d828419ddbd5a32d3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e372e125c17fba8cb72a1fabdfaf158a
SHA1 f4747e1bf85a2182e861ee9167bada6bde63571c
SHA256 ca1099fc7ef60af5207e218e997583068023182dcd4b770852fcf1a6264b6954
SHA512 bc3cbff692ebafa1cef3b2bb74b00a3d17351d9ba7335e4cc0a3f3fdd7d173dfe6ab18002118434aeb094d94b7ff9c229b44d042a1ac3c50b9d047a02f03719c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20914347c8b676160006f26ebb1a6cdf
SHA1 8063a7566a5f1a35160bc6abfce24f623bb15f0c
SHA256 0b6a77240e84632d23528004bc90a8216960db582e1895aab1ba9e752f602b06
SHA512 49284c6cb930e647676415a9c8771dfbd24e5194f4f298d848d6b093abe69bc4403755f39d8f2f4fa5a238301fa8c313064a56cb0b852a156872f13fd27fc734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05bc723fdfa3c1dad05c0a2ea8b6453c
SHA1 39659c7e6e2a7799212233bd79dfb9ca2679a4ee
SHA256 c1530bfb340c46cc67285359b4b9ddf8b2bc8269ecec16a1319d660dfbefe064
SHA512 6207fd359832a8c97c312bd599449a97a03c94c04cf88b570f54729473c7e535842f88030e8252c41a0cc8f5787c24c3223c6f83d0b445589ddc10ed30490478

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1744a9134d38285f2d527b2b757b91c
SHA1 881a60d220e72da018a571940a4b4aa9e57288a6
SHA256 c4c7ac88d8f358bf93ae96a65b3686b37ac26e7cb8f3a8a329cefc09ce897d44
SHA512 866ddb83692d97c1a7ac09e223848f7cedae634e26569233f9973194ed64f81580d3bdc6cb9ed73fb0cdbefcf172af59d077345595563e092cb36c5b7883eeaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0298994044b8093be9886aa82a9a2aa7
SHA1 77b75b3e209c18c7d76e1940f5151e729d707355
SHA256 e6fddb3b206a8e124429ba086c66a5e9a1942ce00e7e41124d8c6445e1ec1abe
SHA512 2902181645816c3875b33c1dc7540afbc189dd58f5f511f1968b338c0db3c4c5aea654d3799a8511461728e863851c45927d6ed9571df5c704704e607f60c115

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 486306f4995c74019dff3a11da7f1388
SHA1 a01de6088e8fe590de74c20ec531502f2fcda625
SHA256 d74e5b0fdbb3eb7405f2be443d296920d555ce0329efb86cf9fac01e1dce8131
SHA512 249c0ec41f0b3e731e1c84747b0564eb252e2a0fa8fe13e7eed44f8ccc1d77bd77aea04755a1dbbdf3fb24ee622e12455f9de82d70c7b90d2ccbe95098319859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26e8022f0374723d04fdbe66c67f3bc9
SHA1 7ba6cde8b24d2772b05270a44b3c596a901c00ec
SHA256 11db6dfb7460f078f4a4e2cae564a5202eb0f87fcaeacd6f8368e525ed9ef9cd
SHA512 26d4c4db2a8dfb0a952a2c3cb3156b3949fe19bb73f669e9365dd9b9967e02481a6a24fb1321f677ed11d6a27b05fda2391bd993831201e031b4f5eea9a486de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14383e3021dd3690722d2f501e5b46eb
SHA1 2afb26d5eb22daa0779f5701e01abda15ec9f79b
SHA256 b8f687f8665b3d3ff8c275a9d8b70d8331f0e19a865db176aa9fc5c7474bf4cd
SHA512 f9a93fa08e2fa09f8d37821f09a72db64ce0a9399bfba8be201a903fd569348db0feccdb9f17fa8117aa995aae79e3c46494f82818c815d3c0e101cc36e48fb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5f7177b0c51ec2b231d33de8fbb1917
SHA1 6936b8c9d77d0d372545f4536cbec90d2cd7ec6d
SHA256 a368f41f251fb4573c05459a4b22b95552a0ece74a80e22b5c8d35567c5867b3
SHA512 45a5b244adf5ed81d07311ef70f6f1389f726f2fb36837dab2e24984fc36182949776f328622713cce0112d2a40014f30159db62d15322bf9dbc3b4860b742ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d03799ed526857a9113caae9efa0f3ea
SHA1 69c26db60e846971b01cea2ec0922c492e855f67
SHA256 df1facff7e9aee8f0cfc4b88add3312677f9ab88682cb6b3e720a9ecca2d5585
SHA512 86d2549fdec7519133378770b4e0692e50b2ca7c4869c76d3aaed5b499de939a68fa1f4e5d71adea60b22eac9ebe56faaa9a6008479a9229110c2aff6d49f1fc

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-10 12:29

Reported

2024-01-10 12:36

Platform

win10v2004-20231222-en

Max time kernel

125s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\0074E7EADB9AF6975D36F41996674786A91D38F2.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\0074E7EADB9AF6975D36F41996674786A91D38F2.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 192.229.221.95:80 tcp
N/A 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
N/A 20.31.169.57:443 tcp
N/A 20.31.169.57:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 51.124.78.146:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A