Analysis Overview
SHA256
40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5
Threat Level: Shows suspicious behavior
The file gs10021w64.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
One or more HTTP URLs in PDF identified
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of SetWindowsHookEx
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 12:37
Signatures
One or more HTTP URLs in PDF identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
446s
Max time network
1172s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3524 wrote to memory of 3456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mspaint.exe |
| PID 3524 wrote to memory of 3456 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mspaint.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
454s
Max time network
1180s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\COPYING
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
1175s
Max time network
1183s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\.tex | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\edit | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\.tex\ = "tex_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\edit\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4012 wrote to memory of 3284 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4012 wrote to memory of 3284 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
841s
Max time network
846s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\ghostnet-wpf-example.png
Network
Files
memory/1740-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1740-1-0x00000000001B0000-0x00000000001B1000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
432s
Max time network
1164s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\gsviewer.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
837s
Max time network
839s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\linking-jar.png
Network
Files
memory/1736-0-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1736-1-0x0000000000310000-0x0000000000311000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
456s
Max time network
1180s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\linking-jar.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240215-en
Max time kernel
842s
Max time network
847s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\README
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:39
Platform
win10v2004-20240221-en
Max time kernel
93s
Max time network
130s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\gs\gs10.02.1\examples\vasarely.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\Fontmap.Ult | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\pdf2ps.cmd | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\viewmiff.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\CNS1-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Encoding\CEEncoding | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF32-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_pdfwr.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\index.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\cdj690ec.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\83pv-RKSJ-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\KSCpc-EUC-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UCS2-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJIS2004-UTF16-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\iccprofiles\esrgb.icc | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Add-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-0 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-3 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\HKgccs-B5-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\HKm471-B5-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\PPI_CUtils | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\Ghostscript-Enterprise.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\examples\text_graph_image_cmyk_rgb.pdf | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\bjc610b4.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\pdf2dsc | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ras32.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-4 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2pdf13 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF8-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\examples\cjk\all_ac1.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2pdf12.cmd | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Korea1-2 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Decoding\Unicode | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusRoman-Italic | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\examples\cjk\all_ag1.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\bjc610a2.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-GB1-4 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_epsf.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\colormanage\figures\proof_link.pdf | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\cid2code.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\pdf2dsc.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2ps2.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-6 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\B5pc-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\Ps-style.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\stc800p.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\78-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\Pscript5Idiom | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\examples\cjk\gscjk_ac.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\bj8gc12f.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\bjc610a8.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gssetgs32.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\GBpc-EUC-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniGB-UTF16-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gssetgs.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2pdf.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJISPro-UCS2-HW-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_typ42.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Add-RKSJ-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-1 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\viewcmyk.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusSans-Italic | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\GS9_Color_Management.pdf | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gs_m.xpm | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe
"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
"C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" /norestart /install /quiet
C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe
"C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552 /norestart /install /quiet
C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
"C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.1/lib/cidfmap" "C:/Program Files/gs/gs10.02.1/lib/mkcidfm.ps"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
| MD5 | 1398e0b9d13d9cf6f9b932c4564bb9b7 |
| SHA1 | c6fdfbfffe1a28f2fe469edaa93ef7c70f3a883a |
| SHA256 | 7cca427e433bfd9ab6dd87ed0f8e037d29168d1278b5f8ad3f77e482af6c223a |
| SHA512 | e8c9068bf7a1d9316fe5a5e9bc6b045c2aaeba20cb01aa6751cf3acddfb7a6718589c696b885cfabaf09b445da4523747f309a4b4cad5845499cc1d006daf1f0 |
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
| MD5 | 50a0ac7b378b15e89e2f7f24603fe46a |
| SHA1 | 5789fecd07caeee6f920eb968a5f19d90b7e640e |
| SHA256 | 4f4faa90d4e51ee5ee90f7bf19342f0a47e01b01e810376239c9ec8c72909abd |
| SHA512 | e14a70db6956a7bf8aa5f5fa0c6e8edc2dfc5496c5d6d8a54b3107eaaa22cd792e8a59915cbadc1bbc21bc693bf48809792a2ba7ccbfd5a9e6d3b5cf3de965bc |
C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe
| MD5 | 7f28c88875700454d8fb733341658edd |
| SHA1 | 434159872b168112b86e91cf84f4d9d545ab0410 |
| SHA256 | 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9 |
| SHA512 | 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb |
C:\Windows\Temp\{CA624441-1A89-424D-86D9-CCBF6F00BD18}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{CA624441-1A89-424D-86D9-CCBF6F00BD18}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\modern-wizard.bmp
| MD5 | cbe40fd2b1ec96daedc65da172d90022 |
| SHA1 | 366c216220aa4329dff6c485fd0e9b0f4f0a7944 |
| SHA256 | 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2 |
| SHA512 | 62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63 |
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
| MD5 | afa48925e3fa6a78215e454efdfaa730 |
| SHA1 | e16bb545c38998a417ea2412ff780b698dff6387 |
| SHA256 | 0772e280480805c8d8277db2ff2ac56eca17c733835ccf1ab3a31150e75853b7 |
| SHA512 | 1bcbefe989314a4aea09afd6874b4e092710c076cf5ba778b7249bbcee4f6a0800998d3f746f58f4151a3d79bedbe29e6addf052fe59575dfb995bca2a607ff2 |
C:\Program Files\gs\gs10.02.1\bin\gsdll64.dll
| MD5 | 8b1c56e138efc3c678c7eb1d88648592 |
| SHA1 | d29bac308e3ed3fa884ea264ae8de5d9b0bd8ab7 |
| SHA256 | f96834ba3dc32f81b6a70b11d894f3e495866e386f0e575be6f2acff0f0493b5 |
| SHA512 | 4b425e0a60107ca2aaae5be43fefe4b40fbcc662529bedd0d0468499569238b0067740e3ef9d8676a44294b43afedb32f2c467f05d69c13d8dfa40428d6e80a8 |
C:\Program Files\gs\gs10.02.1\lib\mkcidfm.ps
| MD5 | 8c30e8f093b1481e3469aa4e1b8eed71 |
| SHA1 | fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8 |
| SHA256 | c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8 |
| SHA512 | 7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e |
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\EnVar.dll
| MD5 | 4ee6c0578960bcb5dad78947e0cbffe9 |
| SHA1 | dd90488ffde0b0df76e0a5e8dca8192c77619d8b |
| SHA256 | eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697 |
| SHA512 | 0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
845s
Max time network
850s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp
Network
Files
memory/2404-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2404-1-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
452s
Max time network
1181s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\Makefile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
838s
Max time network
844s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.txt
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:07
Platform
win10v2004-20240221-en
Max time kernel
447s
Max time network
1167s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:08
Platform
win7-20240221-en
Max time kernel
838s
Max time network
840s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.rst | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.rst\ = "rst_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2588 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2596 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | c91ec2eb187f482bff04fc506f6d6b2b |
| SHA1 | 34c296c80e056afc59ca8bfe312b88ae3e47a08b |
| SHA256 | 469dfae3002b5f2e53d31045a6d43ccd0a76bcf278323923eefcf48ebc6f2f0e |
| SHA512 | f19a53f64b5129db34621df64341c71c7f0aa2fb154ff5bcd67484d154a69a781067ef2bc70087ca8bfbba3ccb1c083ed5d6d0ecf15ecc82662f815e0d241041 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:08
Platform
win10v2004-20240221-en
Max time kernel
451s
Max time network
1173s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
446s
Max time network
1171s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\HowToBuildTheDocs.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
441s
Max time network
1170s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\ghostnet-wpf-example.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
845s
Max time network
852s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\gsviewer.png
Network
Files
memory/2132-0-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2132-1-0x0000000000320000-0x0000000000321000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
835s
Max time network
838s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.tex | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.tex\ = "tex_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 2052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3048 wrote to memory of 2052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3048 wrote to memory of 2052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2052 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2052 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2052 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2052 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ad1c12b59d98c213f9a04fc648171c6a |
| SHA1 | d0add8863b76d418603e80a5a5a4c304c06a942b |
| SHA256 | aed3ff504dad752eafba576f9bec583889c1ba15e039eed05045d53200ea427e |
| SHA512 | d30c1ae95e847a418f172f6a74b5834de786ddf65d59ba674c84c23d5640b04a8dbfe54244b0683b382ca7c547abc2d9d7f8f65f2723512f3e5992bf6ac25348 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
447s
Max time network
1175s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\README
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
839s
Max time network
845s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tex\ = "tex_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tex | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1716 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1716 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1716 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2552 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2552 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2552 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2552 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | db8e25d74afc10927e5427271d2b6d5c |
| SHA1 | b37db90201b3b0ba4143dca9a5dee0f0d84468b3 |
| SHA256 | b743a6c23c3a344c985102623c80de8aa968640326bff168c5ba175cbfdd68e6 |
| SHA512 | 6bd4a6a15578f475000a27f80f02cc87a912e4c7df5489119a5d7a23662edd79f780177830270c175b25c36b724a8ad6a3a72bd9386ab73e9e06b2f40149d14b |
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240220-en
Max time kernel
839s
Max time network
841s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\HowToBuildTheDocs.txt
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:00
Platform
win7-20240221-en
Max time kernel
844s
Max time network
846s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.rst | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.rst\ = "rst_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3056 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3056 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3056 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | b2034cea3c25aa47240677cf3ecf45ee |
| SHA1 | bd316f0593ab9788933878065f043805e0c595ff |
| SHA256 | 87d5297d9bf9cc9a3bc8b86289f757c2226bd433258daa0edb32b95ad074bc64 |
| SHA512 | afb2d3c2f4e973f3000c1ea9a91281684e473878c277e3415b6ca7fd7feb8d7b019b2bf0e1d22d05f07bbc436cf20c936e7bbfb543a944f273e99793a3be2670 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:09
Platform
win7-20240220-en
Max time kernel
840s
Max time network
842s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.rst | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.rst\ = "rst_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 2648 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2908 wrote to memory of 2648 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2908 wrote to memory of 2648 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2648 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2648 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2648 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2648 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d56c20163860a2c93e1654cc85b9b180 |
| SHA1 | 5b89f23e56aa90a4a2263e9257e77032db6a3971 |
| SHA256 | f92422548164914377ab0f482148590542e368ffb7d403ec524984412e2a0a81 |
| SHA512 | 7b963df241590a0602eeed3ca7f7783ed34164333359c4ff5ada02a05b0723701028636acb97952ae2330b6fd5b6806d6af2f380f635ebe7d1f0aa973ec2e7e6 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
845s
Max time network
850s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\export-jar.png
Network
Files
memory/2076-0-0x0000000001B30000-0x0000000001B31000-memory.dmp
memory/2076-1-0x0000000001B30000-0x0000000001B31000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
446s
Max time network
1176s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\export-jar.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:00
Platform
win10v2004-20240221-en
Max time kernel
1176s
Max time network
1178s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
835s
Max time network
841s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\COPYING
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win10v2004-20240221-en
Max time kernel
442s
Max time network
1170s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1292 wrote to memory of 4964 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1292 wrote to memory of 4964 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:39
Platform
win7-20240221-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\RKSJ-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniGB-UTF16-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Encoding\CEEncoding | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Font\P052-Italic | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_icc.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\Ps-style.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\examples\annots.pdf | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\GBK2K-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\Ps2epsi.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJIS-UTF32-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Decoding\Unicode | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gs_ce_e.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-4 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Ext-RKSJ-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\stc600pl.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\ETen-B5-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\iccprofiles\default_cmyk.icc | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\stc500p.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\Pscript5Idiom | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\thirdparty.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UTF16-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniHojo-UTF16-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\GBTpc-EUC-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Identity-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\bjc610b4.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gssetgs64.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gst.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gsnd.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\90ms-RKSJ-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-1 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\Fontmap | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_dps2.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\pclxps\README | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\font2pcl.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gslp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_wan_e.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-GB1-2 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\necp2x.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2epsi.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\viewjpeg.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan2-0 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF16-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusRoman-Italic | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\src\Ghostscript-Enterprise.rst | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\Info-macos.plist | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2ps2.cmd | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\rinkj-2200-setup | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\stcany_h.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\ColorSpace\TrivialCMYK | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\pdf2ps.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\CNS-EUC-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UTF8-H | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\CMap\UniHojo-UTF32-V | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\Init\gs_fonts.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\doc\language-bindings\images\gsviewer.png | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\Fontmap.ATM | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\gslj.bat | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\SubstCID\Korea1-WMode | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ps2ps2 | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\lib\ras4.upp | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\examples\doretree.ps | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\Resource\ColorSpace\sGray | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
| File created | C:\Program Files\gs\gs10.02.1\uninstgs.exe | C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe
"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
"C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" /norestart /install /quiet
C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
"C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /norestart /install /quiet
C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
"C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.1/lib/cidfmap" "C:/Program Files/gs/gs10.02.1/lib/mkcidfm.ps"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
\Program Files\gs\gs10.02.1\vcredist_x64.exe
| MD5 | 23b8f64f891b5c3c67c1a11c30b32f73 |
| SHA1 | bbff440ce19d1dabd9367af69eed6bbfe14727e0 |
| SHA256 | 8d3ccebf3ff5b781567cd779c67dc30d80ef5445f3ee87562c16654edf8d38f1 |
| SHA512 | 3c4aa37b830d89c6aecf1fa7aaa1096b6311aaaf23b70066bc5a03e3800ce88f5c0a8c4020c8ef688a42bdf753a0748ab2531bf71c8dd9bbfdf920a27c156d71 |
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
| MD5 | 291e0c486cbe22cb000c5e541c9e8317 |
| SHA1 | 64e813bb9024a8e8d5aa64ee20e0d13de97ec7fd |
| SHA256 | 9b9dd72c27ab1db081de56bb7b73bee9a00f60d14ed8e6fde45dab3e619b5f04 |
| SHA512 | 666da980e006648c8ea5eb09ed1d8bafb59bb8c8e798d18bd1c9b1f523237bb7c0d5937813a34ab37f6e0daefe8f2baf9373b73c0c9262fe3a1d88c0f4eae611 |
C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
| MD5 | 7f28c88875700454d8fb733341658edd |
| SHA1 | 434159872b168112b86e91cf84f4d9d545ab0410 |
| SHA256 | 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9 |
| SHA512 | 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb |
\Windows\Temp\{C0FD401F-EDD4-4621-A329-5D332305875E}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{C0FD401F-EDD4-4621-A329-5D332305875E}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Users\Admin\AppData\Local\Temp\nsi3390.tmp\modern-wizard.bmp
| MD5 | cbe40fd2b1ec96daedc65da172d90022 |
| SHA1 | 366c216220aa4329dff6c485fd0e9b0f4f0a7944 |
| SHA256 | 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2 |
| SHA512 | 62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63 |
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Program Files\gs\gs10.02.1\bin\gswin64c.exe
| MD5 | afa48925e3fa6a78215e454efdfaa730 |
| SHA1 | e16bb545c38998a417ea2412ff780b698dff6387 |
| SHA256 | 0772e280480805c8d8277db2ff2ac56eca17c733835ccf1ab3a31150e75853b7 |
| SHA512 | 1bcbefe989314a4aea09afd6874b4e092710c076cf5ba778b7249bbcee4f6a0800998d3f746f58f4151a3d79bedbe29e6addf052fe59575dfb995bca2a607ff2 |
C:\Program Files\gs\gs10.02.1\bin\gsdll64.dll
| MD5 | c370af627e9eccfba9f77ec246afbebd |
| SHA1 | 234f29ac94d5c83c795da68926018d32866ab086 |
| SHA256 | 92cde0bccf3a7cbc4946ff0d7ddd946c2bf55be94f333d5f515d007eed0ad749 |
| SHA512 | e5e01a575a8657685608469f2b52b3fd6c39211e45e9cec125db2d4e73ad5d75b4a2076c4caba32611619f2b8c34ed7e0837a28659301020531a791422239d80 |
\Program Files\gs\gs10.02.1\bin\gsdll64.dll
| MD5 | 534719272fc2a304e848ad1a9b05a65f |
| SHA1 | a71d055833b7def9d30737b6497b4051ccf9e076 |
| SHA256 | 2305d47458e976a266c901b805fd213e7b1dc52c3590730c2a0b1667d4e731bd |
| SHA512 | ee06951eafe00d26a207e3ffecc874650c27ddf6741e2b82b0f8e25a3aef9f6ffa2849cb6e167da09af42f5da2e7f406431ec6242dda1a93ba8aa1c24549fa94 |
C:\Program Files\gs\gs10.02.1\lib\mkcidfm.ps
| MD5 | 8c30e8f093b1481e3469aa4e1b8eed71 |
| SHA1 | fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8 |
| SHA256 | c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8 |
| SHA512 | 7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e |
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\EnVar.dll
| MD5 | 4ee6c0578960bcb5dad78947e0cbffe9 |
| SHA1 | dd90488ffde0b0df76e0a5e8dca8192c77619d8b |
| SHA256 | eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697 |
| SHA512 | 0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c |
\Program Files\gs\gs10.02.1\bin\gswin64.exe
| MD5 | 8fd9ecd60518648ae0e3f45517bcd22d |
| SHA1 | 216367f4f3ed71fb89e01d5cc1318765dd9302ae |
| SHA256 | 441f81fbd8b3ee04121e7ece5bca2fe172466d732ff7695c5c2e61b1696c8a79 |
| SHA512 | 4cc6669eeb579069c8591e0bbe53b77a6bdc507f4e6f3648ea73bc85a65cd595765dea9b92889b419c8f3d3e7a2ad8e3294bf5157f4e1ac76ead17fbead64c20 |
\Program Files\gs\gs10.02.1\uninstgs.exe
| MD5 | 6f6dc91ebc30b9b956d2949020b32d25 |
| SHA1 | 311c156e360672b4faa6653c5528f395481e4b8e |
| SHA256 | 2784fccaf70d1a653ab68d6f55a2798e7d87262419e7cb150ff4e14fa4ebf55e |
| SHA512 | f4106fd08f44429a1802c118d08f0ef0b731aa991b2d4c8e30425d40504373872314b6830bbc6e8a52a50de1d542334c6c0f043d389af74cec4c1a40ae9fee57 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 12:57
Platform
win7-20240221-en
Max time kernel
840s
Max time network
846s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\Makefile
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-23 12:36
Reported
2024-02-23 13:13
Platform
win10v2004-20240221-en
Max time kernel
440s
Max time network
1167s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.104.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |