Malware Analysis Report

2025-08-05 09:28

Sample ID 240223-ps96ysgc88
Target gs10021w64.exe
SHA256 40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5
Tags
discovery pdf link
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5

Threat Level: Shows suspicious behavior

The file gs10021w64.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery pdf link

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

One or more HTTP URLs in PDF identified

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 12:37

Signatures

One or more HTTP URLs in PDF identified

pdf link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

446s

Max time network

1172s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 3524 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

454s

Max time network

1180s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\COPYING

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\COPYING

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

1175s

Max time network

1183s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\.tex C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\edit C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\.tex\ = "tex_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\edit\command C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\tex_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 3284 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4012 wrote to memory of 3284 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

841s

Max time network

846s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\ghostnet-wpf-example.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\ghostnet-wpf-example.png

Network

N/A

Files

memory/1740-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1740-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

432s

Max time network

1164s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\gsviewer.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\gsviewer.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

837s

Max time network

839s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\linking-jar.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\linking-jar.png

Network

N/A

Files

memory/1736-0-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1736-1-0x0000000000310000-0x0000000000311000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

456s

Max time network

1180s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\linking-jar.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\linking-jar.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240215-en

Max time kernel

842s

Max time network

847s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\README

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\README

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:39

Platform

win10v2004-20240221-en

Max time kernel

93s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\gs\gs10.02.1\examples\vasarely.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\Fontmap.Ult C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\pdf2ps.cmd C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\viewmiff.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\CNS1-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Encoding\CEEncoding C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF32-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_pdfwr.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\index.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\cdj690ec.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\83pv-RKSJ-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\KSCpc-EUC-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UCS2-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJIS2004-UTF16-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\iccprofiles\esrgb.icc C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Add-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-0 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-3 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\HKgccs-B5-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\HKm471-B5-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\PPI_CUtils C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\Ghostscript-Enterprise.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\examples\text_graph_image_cmyk_rgb.pdf C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\bjc610b4.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\pdf2dsc C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ras32.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-4 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2pdf13 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF8-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\examples\cjk\all_ac1.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2pdf12.cmd C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Korea1-2 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Decoding\Unicode C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusRoman-Italic C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\examples\cjk\all_ag1.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\bjc610a2.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-GB1-4 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_epsf.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\colormanage\figures\proof_link.pdf C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\cid2code.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\pdf2dsc.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2ps2.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-6 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\B5pc-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\Ps-style.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\stc800p.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\78-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\Pscript5Idiom C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\examples\cjk\gscjk_ac.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\bj8gc12f.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\bjc610a8.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gssetgs32.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\GBpc-EUC-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniGB-UTF16-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gssetgs.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2pdf.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJISPro-UCS2-HW-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_typ42.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Add-RKSJ-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-1 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\viewcmyk.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusSans-Italic C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\GS9_Color_Management.pdf C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gs_m.xpm C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe

"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"

C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

"C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" /norestart /install /quiet

C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe

"C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552 /norestart /install /quiet

C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe

"C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.1/lib/cidfmap" "C:/Program Files/gs/gs10.02.1/lib/mkcidfm.ps"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 137.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

MD5 1398e0b9d13d9cf6f9b932c4564bb9b7
SHA1 c6fdfbfffe1a28f2fe469edaa93ef7c70f3a883a
SHA256 7cca427e433bfd9ab6dd87ed0f8e037d29168d1278b5f8ad3f77e482af6c223a
SHA512 e8c9068bf7a1d9316fe5a5e9bc6b045c2aaeba20cb01aa6751cf3acddfb7a6718589c696b885cfabaf09b445da4523747f309a4b4cad5845499cc1d006daf1f0

C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

MD5 50a0ac7b378b15e89e2f7f24603fe46a
SHA1 5789fecd07caeee6f920eb968a5f19d90b7e640e
SHA256 4f4faa90d4e51ee5ee90f7bf19342f0a47e01b01e810376239c9ec8c72909abd
SHA512 e14a70db6956a7bf8aa5f5fa0c6e8edc2dfc5496c5d6d8a54b3107eaaa22cd792e8a59915cbadc1bbc21bc693bf48809792a2ba7ccbfd5a9e6d3b5cf3de965bc

C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe

MD5 7f28c88875700454d8fb733341658edd
SHA1 434159872b168112b86e91cf84f4d9d545ab0410
SHA256 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA512 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

C:\Windows\Temp\{CA624441-1A89-424D-86D9-CCBF6F00BD18}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{CA624441-1A89-424D-86D9-CCBF6F00BD18}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\modern-wizard.bmp

MD5 cbe40fd2b1ec96daedc65da172d90022
SHA1 366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA256 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA512 62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe

MD5 afa48925e3fa6a78215e454efdfaa730
SHA1 e16bb545c38998a417ea2412ff780b698dff6387
SHA256 0772e280480805c8d8277db2ff2ac56eca17c733835ccf1ab3a31150e75853b7
SHA512 1bcbefe989314a4aea09afd6874b4e092710c076cf5ba778b7249bbcee4f6a0800998d3f746f58f4151a3d79bedbe29e6addf052fe59575dfb995bca2a607ff2

C:\Program Files\gs\gs10.02.1\bin\gsdll64.dll

MD5 8b1c56e138efc3c678c7eb1d88648592
SHA1 d29bac308e3ed3fa884ea264ae8de5d9b0bd8ab7
SHA256 f96834ba3dc32f81b6a70b11d894f3e495866e386f0e575be6f2acff0f0493b5
SHA512 4b425e0a60107ca2aaae5be43fefe4b40fbcc662529bedd0d0468499569238b0067740e3ef9d8676a44294b43afedb32f2c467f05d69c13d8dfa40428d6e80a8

C:\Program Files\gs\gs10.02.1\lib\mkcidfm.ps

MD5 8c30e8f093b1481e3469aa4e1b8eed71
SHA1 fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8
SHA256 c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8
SHA512 7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e

C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\EnVar.dll

MD5 4ee6c0578960bcb5dad78947e0cbffe9
SHA1 dd90488ffde0b0df76e0a5e8dca8192c77619d8b
SHA256 eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697
SHA512 0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

845s

Max time network

850s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

Network

N/A

Files

memory/2404-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2404-1-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

452s

Max time network

1181s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\Makefile

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\Makefile

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

838s

Max time network

844s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.txt

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:07

Platform

win10v2004-20240221-en

Max time kernel

447s

Max time network

1167s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:08

Platform

win7-20240221-en

Max time kernel

838s

Max time network

840s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.rst C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.rst\ = "rst_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\rst_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c91ec2eb187f482bff04fc506f6d6b2b
SHA1 34c296c80e056afc59ca8bfe312b88ae3e47a08b
SHA256 469dfae3002b5f2e53d31045a6d43ccd0a76bcf278323923eefcf48ebc6f2f0e
SHA512 f19a53f64b5129db34621df64341c71c7f0aa2fb154ff5bcd67484d154a69a781067ef2bc70087ca8bfbba3ccb1c083ed5d6d0ecf15ecc82662f815e0d241041

Analysis: behavioral30

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:08

Platform

win10v2004-20240221-en

Max time kernel

451s

Max time network

1173s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\C-style.rst

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

446s

Max time network

1171s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\HowToBuildTheDocs.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\HowToBuildTheDocs.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

441s

Max time network

1170s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\ghostnet-wpf-example.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\ghostnet-wpf-example.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

845s

Max time network

852s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\gsviewer.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\gsviewer.png

Network

N/A

Files

memory/2132-0-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2132-1-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

835s

Max time network

838s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.tex C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.tex\ = "tex_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\tex_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\colormanage\GS9_Color_Management.tex"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ad1c12b59d98c213f9a04fc648171c6a
SHA1 d0add8863b76d418603e80a5a5a4c304c06a942b
SHA256 aed3ff504dad752eafba576f9bec583889c1ba15e039eed05045d53200ea427e
SHA512 d30c1ae95e847a418f172f6a74b5834de786ddf65d59ba674c84c23d5640b04a8dbfe54244b0683b382ca7c547abc2d9d7f8f65f2723512f3e5992bf6ac25348

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

447s

Max time network

1175s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\README

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\README

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

839s

Max time network

845s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tex\ = "tex_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tex C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tex_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 db8e25d74afc10927e5427271d2b6d5c
SHA1 b37db90201b3b0ba4143dca9a5dee0f0d84468b3
SHA256 b743a6c23c3a344c985102623c80de8aa968640326bff168c5ba175cbfdd68e6
SHA512 6bd4a6a15578f475000a27f80f02cc87a912e4c7df5489119a5d7a23662edd79f780177830270c175b25c36b724a8ad6a3a72bd9386ab73e9e06b2f40149d14b

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240220-en

Max time kernel

839s

Max time network

841s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\HowToBuildTheDocs.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\HowToBuildTheDocs.txt

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:00

Platform

win7-20240221-en

Max time kernel

844s

Max time network

846s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.rst C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.rst\ = "rst_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\rst_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\src\API.rst"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b2034cea3c25aa47240677cf3ecf45ee
SHA1 bd316f0593ab9788933878065f043805e0c595ff
SHA256 87d5297d9bf9cc9a3bc8b86289f757c2226bd433258daa0edb32b95ad074bc64
SHA512 afb2d3c2f4e973f3000c1ea9a91281684e473878c277e3415b6ca7fd7feb8d7b019b2bf0e1d22d05f07bbc436cf20c936e7bbfb543a944f273e99793a3be2670

Analysis: behavioral31

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:09

Platform

win7-20240220-en

Max time kernel

840s

Max time network

842s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.rst C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.rst\ = "rst_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rst_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d56c20163860a2c93e1654cc85b9b180
SHA1 5b89f23e56aa90a4a2263e9257e77032db6a3971
SHA256 f92422548164914377ab0f482148590542e368ffb7d403ec524984412e2a0a81
SHA512 7b963df241590a0602eeed3ca7f7783ed34164333359c4ff5ada02a05b0723701028636acb97952ae2330b6fd5b6806d6af2f380f635ebe7d1f0aa973ec2e7e6

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

845s

Max time network

850s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\export-jar.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\export-jar.png

Network

N/A

Files

memory/2076-0-0x0000000001B30000-0x0000000001B31000-memory.dmp

memory/2076-1-0x0000000001B30000-0x0000000001B31000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

446s

Max time network

1176s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\export-jar.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\language-bindings\images\export-jar.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:00

Platform

win10v2004-20240221-en

Max time kernel

1176s

Max time network

1178s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

835s

Max time network

841s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\COPYING

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\COPYING

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win10v2004-20240221-en

Max time kernel

442s

Max time network

1170s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 4964 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 1292 wrote to memory of 4964 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\doc\pclxps\ghostpdl.tex

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:39

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\RKSJ-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniGB-UTF16-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Encoding\CEEncoding C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Font\P052-Italic C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_icc.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\Ps-style.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\examples\annots.pdf C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\GBK2K-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\Ps2epsi.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJIS-UTF32-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Decoding\Unicode C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gs_ce_e.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-4 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Ext-RKSJ-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\stc600pl.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\ETen-B5-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\iccprofiles\default_cmyk.icc C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\stc500p.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\Pscript5Idiom C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\thirdparty.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UTF16-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniHojo-UTF16-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\GBTpc-EUC-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\bjc610b4.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gssetgs64.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gst.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gsnd.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\90ms-RKSJ-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-1 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\Fontmap C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_dps2.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\pclxps\README C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\font2pcl.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gslp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_wan_e.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-GB1-2 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\necp2x.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2epsi.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\viewjpeg.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan2-0 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF16-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusRoman-Italic C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\src\Ghostscript-Enterprise.rst C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\Info-macos.plist C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2ps2.cmd C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\rinkj-2200-setup C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\stcany_h.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\ColorSpace\TrivialCMYK C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\pdf2ps.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\CNS-EUC-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UTF8-H C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\CMap\UniHojo-UTF32-V C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\Init\gs_fonts.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\doc\language-bindings\images\gsviewer.png C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\Fontmap.ATM C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\gslj.bat C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\SubstCID\Korea1-WMode C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ps2ps2 C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\lib\ras4.upp C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\examples\doretree.ps C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\Resource\ColorSpace\sGray C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A
File created C:\Program Files\gs\gs10.02.1\uninstgs.exe C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 1096 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 612 wrote to memory of 1088 N/A C:\Program Files\gs\gs10.02.1\vcredist_x64.exe C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe

"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"

C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

"C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" /norestart /install /quiet

C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe

"C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /norestart /install /quiet

C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe

"C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.1/lib/cidfmap" "C:/Program Files/gs/gs10.02.1/lib/mkcidfm.ps"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi3390.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

\Users\Admin\AppData\Local\Temp\nsi3390.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

\Program Files\gs\gs10.02.1\vcredist_x64.exe

MD5 23b8f64f891b5c3c67c1a11c30b32f73
SHA1 bbff440ce19d1dabd9367af69eed6bbfe14727e0
SHA256 8d3ccebf3ff5b781567cd779c67dc30d80ef5445f3ee87562c16654edf8d38f1
SHA512 3c4aa37b830d89c6aecf1fa7aaa1096b6311aaaf23b70066bc5a03e3800ce88f5c0a8c4020c8ef688a42bdf753a0748ab2531bf71c8dd9bbfdf920a27c156d71

C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

MD5 291e0c486cbe22cb000c5e541c9e8317
SHA1 64e813bb9024a8e8d5aa64ee20e0d13de97ec7fd
SHA256 9b9dd72c27ab1db081de56bb7b73bee9a00f60d14ed8e6fde45dab3e619b5f04
SHA512 666da980e006648c8ea5eb09ed1d8bafb59bb8c8e798d18bd1c9b1f523237bb7c0d5937813a34ab37f6e0daefe8f2baf9373b73c0c9262fe3a1d88c0f4eae611

C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe

MD5 7f28c88875700454d8fb733341658edd
SHA1 434159872b168112b86e91cf84f4d9d545ab0410
SHA256 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA512 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

\Windows\Temp\{C0FD401F-EDD4-4621-A329-5D332305875E}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{C0FD401F-EDD4-4621-A329-5D332305875E}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\nsi3390.tmp\modern-wizard.bmp

MD5 cbe40fd2b1ec96daedc65da172d90022
SHA1 366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA256 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA512 62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

\Users\Admin\AppData\Local\Temp\nsi3390.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

\Program Files\gs\gs10.02.1\bin\gswin64c.exe

MD5 afa48925e3fa6a78215e454efdfaa730
SHA1 e16bb545c38998a417ea2412ff780b698dff6387
SHA256 0772e280480805c8d8277db2ff2ac56eca17c733835ccf1ab3a31150e75853b7
SHA512 1bcbefe989314a4aea09afd6874b4e092710c076cf5ba778b7249bbcee4f6a0800998d3f746f58f4151a3d79bedbe29e6addf052fe59575dfb995bca2a607ff2

C:\Program Files\gs\gs10.02.1\bin\gsdll64.dll

MD5 c370af627e9eccfba9f77ec246afbebd
SHA1 234f29ac94d5c83c795da68926018d32866ab086
SHA256 92cde0bccf3a7cbc4946ff0d7ddd946c2bf55be94f333d5f515d007eed0ad749
SHA512 e5e01a575a8657685608469f2b52b3fd6c39211e45e9cec125db2d4e73ad5d75b4a2076c4caba32611619f2b8c34ed7e0837a28659301020531a791422239d80

\Program Files\gs\gs10.02.1\bin\gsdll64.dll

MD5 534719272fc2a304e848ad1a9b05a65f
SHA1 a71d055833b7def9d30737b6497b4051ccf9e076
SHA256 2305d47458e976a266c901b805fd213e7b1dc52c3590730c2a0b1667d4e731bd
SHA512 ee06951eafe00d26a207e3ffecc874650c27ddf6741e2b82b0f8e25a3aef9f6ffa2849cb6e167da09af42f5da2e7f406431ec6242dda1a93ba8aa1c24549fa94

C:\Program Files\gs\gs10.02.1\lib\mkcidfm.ps

MD5 8c30e8f093b1481e3469aa4e1b8eed71
SHA1 fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8
SHA256 c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8
SHA512 7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e

\Users\Admin\AppData\Local\Temp\nsi3390.tmp\EnVar.dll

MD5 4ee6c0578960bcb5dad78947e0cbffe9
SHA1 dd90488ffde0b0df76e0a5e8dca8192c77619d8b
SHA256 eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697
SHA512 0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c

\Program Files\gs\gs10.02.1\bin\gswin64.exe

MD5 8fd9ecd60518648ae0e3f45517bcd22d
SHA1 216367f4f3ed71fb89e01d5cc1318765dd9302ae
SHA256 441f81fbd8b3ee04121e7ece5bca2fe172466d732ff7695c5c2e61b1696c8a79
SHA512 4cc6669eeb579069c8591e0bbe53b77a6bdc507f4e6f3648ea73bc85a65cd595765dea9b92889b419c8f3d3e7a2ad8e3294bf5157f4e1ac76ead17fbead64c20

\Program Files\gs\gs10.02.1\uninstgs.exe

MD5 6f6dc91ebc30b9b956d2949020b32d25
SHA1 311c156e360672b4faa6653c5528f395481e4b8e
SHA256 2784fccaf70d1a653ab68d6f55a2798e7d87262419e7cb150ff4e14fa4ebf55e
SHA512 f4106fd08f44429a1802c118d08f0ef0b731aa991b2d4c8e30425d40504373872314b6830bbc6e8a52a50de1d542334c6c0f043d389af74cec4c1a40ae9fee57

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 12:57

Platform

win7-20240221-en

Max time kernel

840s

Max time network

846s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\Makefile

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\pclxps\Makefile

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-02-23 12:36

Reported

2024-02-23 13:13

Platform

win10v2004-20240221-en

Max time kernel

440s

Max time network

1167s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\doc\src\Develop.rst

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 105.104.123.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A