Analysis Overview
SHA256
e26f71f1d7eca71a26bd6e794bfd85fdfa272fa4afd6241a639e42c89b397fa4
Threat Level: Shows suspicious behavior
The file ad670610b3764651c7287eb02e5ea6a2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 01:58
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\RageIE.exe
"C:\Users\Admin\AppData\Local\Temp\RageIE.exe"
Network
Files
memory/1552-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1552-1-0x0000000000400000-0x0000000000522000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid\ = "{90255C53-29A3-4D37-944D-481764B00156}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ = "IBannerSoft_AD" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb\0\ = "Properties,0,2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID\ = "BannerSoft_ADProj1.BannerSoft_AD" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ = "IBannerSoft_ADEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\ = "BannerSoft_AD Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ = "IBannerSoft_ADEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ = "BannerSoft_AD Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll,1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\ = "BannerSoft_ADProj1 Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2932 wrote to memory of 2368 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accon.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\accon.dll
Network
Files
memory/2368-0-0x0000000000410000-0x00000000004B5000-memory.dmp
memory/2368-1-0x0000000000410000-0x00000000004B5000-memory.dmp
memory/2368-2-0x00000000000C0000-0x00000000000C2000-memory.dmp
memory/2368-3-0x00000000000C0000-0x00000000000C2000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ = "IBannerSoft_AD" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll,1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ = "BannerSoft_AD Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid\ = "{90255C53-29A3-4D37-944D-481764B00156}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID\ = "BannerSoft_ADProj1.BannerSoft_AD" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1\ = "205201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\ = "BannerSoft_ADProj1 Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4164 wrote to memory of 2340 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4164 wrote to memory of 2340 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4164 wrote to memory of 2340 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accon.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\accon.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2340-0-0x0000000000400000-0x00000000004A5000-memory.dmp
memory/2340-1-0x00000000009E0000-0x00000000009E2000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240220-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6057e1d1b26ada01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000bd89556a45950dc57e44f1db2985b5e2e2ee2d46737ab171b6bb9b342ada4af3000000000e8000000002000020000000daed4914d44d4ebedaf77be34289b1c84f8e818b0d6a321890c1cd6902b8483690000000e124c9c7c67f07b806102cabca2a888636dd7538a19979385748487f7026f3409e66e638b61ae30eaa3bb4c0f80bafafebbaa43acb930b06d09aef842a9f50935430ee0616e3b87530a50015a59ba6cc9087bb08ad4df3814c501317a5c981f927c66fa56dec7120cbc69a3ccf30dc9a2d627768245ee01e4bf98c02035ea58ae5ff2736d8ba1460ae9fc95ed4e0cbcf40000000ae2101f03b71d76467c40a4e9658233fb0ee288905ec921eabc7fc997aefab7084448238490317d21377e39008e253e47320921c0ceadd01cc564c520d0bcad7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000007af83f049fb9fa574b510109dae6e2f8c0e9d96c729fa4e83cb0e044182d58dc000000000e8000000002000020000000ea632ba65b450b575e1a8541562103caa12e7e254d0557595334d97d8367209320000000cb1fb843232f2d9869dad4132c19dcb504fd203796bec8157b398868cde82e9540000000b11db12d3250336db2f104197f02ae9b3edb32f447450e01567073799a6bcf4aa11c555959ea298102171c6d9e27e634c7a6a3f2ee445f91d83efbf1bb0030fa | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD54D071-D6A5-11EE-8554-DE288D05BF47} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415333758" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2364 wrote to memory of 2804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2364 wrote to memory of 2804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2364 wrote to memory of 2804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\default.htm
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2196.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab22B2.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar22C7.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7aec9147fe027742345f17f3946d0c6 |
| SHA1 | 306294af9f256b10ae286d8026ba85c7df38d4fb |
| SHA256 | 47890b96a4c8b647450f3d501f5b4c241c1d015f35a223232592604488101fbd |
| SHA512 | 1fd2979436547fac22cdd973d094214dbba0cca32c79eb05832f1b5af00c201d5c6ca34c1e90d9cf7d2e55ce3f64518083e2d5e3df24b3039854f5696c9fb7b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 227aba41c5380f13a64762161fb598fb |
| SHA1 | 24bcf45e0d8edd180ee37566fb6b6bf3845edd6c |
| SHA256 | 74fbd7b88abd02f8dea231aabee214ac8ceddb0714dfc8f1de525096ce88bda2 |
| SHA512 | cd74b41107c29ec2394b740a9423097b7e00932df067da26bef6656b94fb686d29f3c391b14038b5a249070bd8b8fe07d61c835cdde3fdc827dbc2e8601ec314 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f6cfd6fe2d39a10f332e7951fb43ccf |
| SHA1 | deed7b74fb948311a824bb5f8ed60fe9dd0e653d |
| SHA256 | e64bfd00d7f4b4c7a4318a908ee81a2c4b780ab165b8e0c23ced54ac2b1b8d04 |
| SHA512 | 200e3b4844f81c0f1572ef35dd0f77d0a5fe47ee47e9660af98926807c4ed053213e3b10e62b0b9af7770984e509f08fea33ec6a0a295dbb00b4037a773e1de8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d7e24a9f61a7057631e1fb1134be89e |
| SHA1 | aa4b9175978d43f450810dd1b062da164b50786e |
| SHA256 | a5cec03fdc1cf56f928a098a564c7b56fef3023add986e068d14945656ffda20 |
| SHA512 | afd075f6910e0d1c5ac877858753dc277ebae0db4d8ddbc98c5ab3035447b03e36f25b290e4bc8c877a582bc5914bbfc1ebdcbbd759e76cc092eadd99fb21fd6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce432e346c8f10cc56b49120694f8a1a |
| SHA1 | 4ecadc7cb66ac86b6c44d1a2704492858a031fba |
| SHA256 | 415b7713e513798add3dfee4d0ea6dfcedad8fdc9b7628caeda27236778eb9f0 |
| SHA512 | 128ac930f02a081e3bcebb82043cdd9a441bfdbe53fca001acfb2c75a622372dfc9030e41691902cc365760984f115dceff5b6908e067faf0307ccefcbd22618 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5549fb807d2b5965387f2d815fa09283 |
| SHA1 | 387d6ff6042d4da8b6de1954238a10845bc9ee67 |
| SHA256 | 5c50a42bcd76edb5cd5d32f3d0283b8e05cf3170fcbd71f29a110715e1b84ea9 |
| SHA512 | cf4a41311f12e92175812a97eadf9c79a9f6697c63fa1b18cc0ea1f3ed2a8f249622c6e01a68608972fff97d5e2b1890091e59f29d2ba8498258745e3bad86db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5aa8f15156215f5d6b81b76a62a56ed |
| SHA1 | 490bf4e9006c092a4130b9d65e3c6173978da734 |
| SHA256 | 7175651122993ace504ee4abddec4405b8b2770e896d0ce71574e672fb9a1c33 |
| SHA512 | 9fcc5b2683b7d3ecf06e1458d572b2c0f0a6c841560f9fa72cd91cb30ba88fbb8e8f43da3672185a2e1cc05c273772b4147a0d5bd7b105e197e5151b34b75e25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11bb36fec880a428d089f2f395fdf0c8 |
| SHA1 | 86ce8936e00192198c226a58782d416b2adf70e5 |
| SHA256 | f9ada2b5785716e286c73d9d881d6b8123a96c41bee391fc6dadef07b37d0146 |
| SHA512 | 8073b6fd48833f60f9571a796762b2ed6020efab8e1b00e04e8caf8f1b7a83a982e1e4b1359dbf6eae2c0b14340594fb93b654682592096476d8d522bafe1c9b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e2cc0bc59aaa13bdb1fc46a514ba0fd |
| SHA1 | 1fea33026a6eb2afb45f4d60d4c8ddb1a17889f0 |
| SHA256 | bf6a5de500a0f30b2c1743205e90c67467e8de4999314c42c25f0759195bce11 |
| SHA512 | 917dd17f244e0b326295928ad69ff1f63e3ada8527ef4f29bb906c6cb3ae67b30476e67c50aef64f8ccabedc85fc93ff271971222bda2802efccd83e3a06d4ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6045caa4f415a11e616c65a5d3e6d121 |
| SHA1 | 81e798cf7e96080ef946070faff28d3e276e14c6 |
| SHA256 | 483c9858dd11758c7ce1bb992413d3292b77b72a04c0477432ad8e44eeb4128e |
| SHA512 | 1dd3a119af1d87767db01b612bd6d629ed82561bdcec310bedd846ee69ad4cdd44165658d1f00db0bde3547c9d506fd271d24b314fe31693977f1b0c72cda0d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd88ff39729c0f8d3e31baebceba16d7 |
| SHA1 | d842c140c2ff0f86dc8f5839895400cb98641d93 |
| SHA256 | bccaadc67fb33afeedfbf72f504381d5be07185771f9ec9ccb2bd6ca0691e502 |
| SHA512 | ec9935e4d08c37d99eac1f25abe2cc557460975a684a1a48c32d9cdb9f6f24b6d4156255c213cf36a68cf92cd3a05ec7eec91f5a2a450498864bb69a4600b764 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8941eb8b40892f01f607b2a12282799 |
| SHA1 | 00d24c3cc69d0f397edffc326a8f4a551645cea6 |
| SHA256 | 4e08f7dcb569803f5f75994ddbcda9ba6e9ae597c536d3c064cb4dc4550a8589 |
| SHA512 | b601a46fc46e2b3742b21bc55a20b02e1655b7a435a2a122345865edb80711b105015cffa23cea923e69580fe7e4975e1559b39136c142198d2581210f84ac23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6810500b3888c6b257d4b47635ebb12f |
| SHA1 | db5188d5c366d559877be096745fa53ec1a3dde1 |
| SHA256 | ec156c88088c8cca8ba46a6c0462e7bb54d771004e86682ff566bb08917b979f |
| SHA512 | e6e0aae3bc5315aedefc82e1a17108c5374dcbabd417a0a7358ed3dfba5d9c3a973cd008be150be780914233ac1e2b2507e4d930ae1c9a3d8ef83d89a66d73b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 060e7290fbb6e50bc5249bff0f2f2ef8 |
| SHA1 | 9335468e3789d4d4c19c5dc85858cd829e202b30 |
| SHA256 | 6f87e8e7245d4abe4c0329bc9409e8e4a25c683d707ba508e5d6febcabc7fd51 |
| SHA512 | a7be0f07118b40cd4a7d2f1f2084041f23ceb168b6405398dbdfb129798e1dd83995e2a1df8a80ca10aee2b74e40b1379dd95dba01a7db840afe4a49a2070104 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae76815c4d7798900b94a5288ae8dfb1 |
| SHA1 | 510e6c1c4461a0d4c0a1006503792e296e25add6 |
| SHA256 | 4227fc57ac5572445bb93989a20db3c709969bde6ea02b6b33e78f0e47674359 |
| SHA512 | 0c23bf78d3b19261936a3494eedd2c95d3babd8682ca57bcbbe5851bcd41a498c6086605e6d5ad585b7bbe7bfadf350965306d1e2aadd873dc71676a4fec8278 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ad775f95fdacdc62734d3cccce6d387 |
| SHA1 | c4245a62715dc12b9b86d339ab93bb348ea2d135 |
| SHA256 | 7fc29da14e7654c7390069df133f9c6ba28a276427ddf5d034b8c433d16b2bdd |
| SHA512 | 8f949f8f9e62759a907ddb77150380c459b9f74ab9cebf79c407336790793659f98122775b01a8d82930e81c0849b8cb2d751df745e1fc190b29b747c56ab5e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e882676c2c94fa6530a1f30634afad9 |
| SHA1 | 3f93d0707541329e6a52a5f1038355670134b6cd |
| SHA256 | 1864d330e69f929d8e2236602a88f6ad17515c3db1c85c7341f4b2257c5dec2a |
| SHA512 | 5dd193e841945e00d37064df65c4cd0f585842998b7cc16d523bfe6ace9f1e77f1e0000bcd8a72db9b8d11c05e7d4e49f75a87b23d40a3c89711b525fa3c6f02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1edd2f39d95f2e66d6664e779853fa5f |
| SHA1 | 239fa54bb18d6127bb96b4cba30689e5c3eaf568 |
| SHA256 | a5c25946cb78a952f224107cb8313c8f8726de3897103f6c89c23beef218960d |
| SHA512 | f5b976032e4749e528e0f41121a228d130303cd0c0f58395dc2cf8209c0f107fe3a22636a8ca1b62066d7548cb1d62936463ff0b3f19b96a457d78a2bb6ba4c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cfda886c35a22de92f8c56a499933eb |
| SHA1 | 8266be75d85f4f6b6a7cf3bdba6e35a5b337c466 |
| SHA256 | 37fe79ac44e6cb71627bb3e5957299587dbd0c86c6c5163a0445fca6008744f2 |
| SHA512 | a8aa6096792a8c5ccb1eb38283d48a75956e4d037be2734274b9e77cb34f98b2155321e0455504dd9a286275ed323c7076405feb6caf0f8b88d9f38bcb586b38 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe
"C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe"
Network
Files
memory/1968-0-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1968-1-0x0000000000400000-0x0000000000548000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe
"C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe"
Network
Files
memory/1824-1-0x0000000000400000-0x000000000050B000-memory.dmp
memory/1824-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1824-2-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\default.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3968 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4776 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4536 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5512 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5848 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6020 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 88.221.135.81:443 | bzib.nelreports.net | tcp |
| GB | 92.123.241.137:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 94.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| GB | 92.123.128.167:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 167.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| GB | 92.123.128.167:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\非常世纪资源网.url
Network
Files
memory/1692-0-0x0000000001C40000-0x0000000001C41000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win7-20240221-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe
"C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe"
Network
Files
memory/1624-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1624-2-0x0000000000400000-0x000000000064B000-memory.dmp
memory/1624-4-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
156s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe
"C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| IE | 209.85.203.95:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/1352-0-0x0000000000400000-0x000000000064B000-memory.dmp
memory/1352-1-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/1352-2-0x0000000000400000-0x000000000064B000-memory.dmp
memory/1352-4-0x0000000000400000-0x000000000064B000-memory.dmp
memory/1352-5-0x00000000024F0000-0x00000000024F1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe
"C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2216-0-0x0000000000400000-0x0000000000548000-memory.dmp
memory/2216-1-0x0000000000740000-0x0000000000741000-memory.dmp
memory/2216-2-0x0000000000400000-0x0000000000548000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe
"C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/4696-0-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/4696-1-0x0000000000400000-0x000000000050B000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\RageIE.exe
"C:\Users\Admin\AppData\Local\Temp\RageIE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/1800-0-0x0000000000820000-0x0000000000821000-memory.dmp
memory/1800-1-0x0000000000400000-0x0000000000522000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-29 01:58
Reported
2024-02-29 02:00
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\非常世纪资源网.url
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |