Malware Analysis Report

2025-08-11 01:27

Sample ID 240229-cdv29sba45
Target ad670610b3764651c7287eb02e5ea6a2
SHA256 e26f71f1d7eca71a26bd6e794bfd85fdfa272fa4afd6241a639e42c89b397fa4
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e26f71f1d7eca71a26bd6e794bfd85fdfa272fa4afd6241a639e42c89b397fa4

Threat Level: Shows suspicious behavior

The file ad670610b3764651c7287eb02e5ea6a2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 01:58

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RageIE.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RageIE.exe

"C:\Users\Admin\AppData\Local\Temp\RageIE.exe"

Network

N/A

Files

memory/1552-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1552-1-0x0000000000400000-0x0000000000522000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accon.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid\ = "{90255C53-29A3-4D37-944D-481764B00156}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ = "IBannerSoft_AD" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb\0\ = "Properties,0,2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID\ = "BannerSoft_ADProj1.BannerSoft_AD" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ = "IBannerSoft_ADEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\ = "BannerSoft_AD Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ = "IBannerSoft_ADEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ = "BannerSoft_AD Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll,1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\ = "BannerSoft_ADProj1 Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2368 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accon.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\accon.dll

Network

N/A

Files

memory/2368-0-0x0000000000410000-0x00000000004B5000-memory.dmp

memory/2368-1-0x0000000000410000-0x00000000004B5000-memory.dmp

memory/2368-2-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2368-3-0x00000000000C0000-0x00000000000C2000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accon.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ = "IBannerSoft_AD" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll,1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ = "BannerSoft_AD Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid\ = "{90255C53-29A3-4D37-944D-481764B00156}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID\ = "BannerSoft_ADProj1.BannerSoft_AD" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1\ = "205201" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\ = "BannerSoft_ADProj1 Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 2340 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4164 wrote to memory of 2340 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4164 wrote to memory of 2340 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accon.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\accon.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2340-0-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/2340-1-0x00000000009E0000-0x00000000009E2000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240220-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\default.htm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6057e1d1b26ada01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000bd89556a45950dc57e44f1db2985b5e2e2ee2d46737ab171b6bb9b342ada4af3000000000e8000000002000020000000daed4914d44d4ebedaf77be34289b1c84f8e818b0d6a321890c1cd6902b8483690000000e124c9c7c67f07b806102cabca2a888636dd7538a19979385748487f7026f3409e66e638b61ae30eaa3bb4c0f80bafafebbaa43acb930b06d09aef842a9f50935430ee0616e3b87530a50015a59ba6cc9087bb08ad4df3814c501317a5c981f927c66fa56dec7120cbc69a3ccf30dc9a2d627768245ee01e4bf98c02035ea58ae5ff2736d8ba1460ae9fc95ed4e0cbcf40000000ae2101f03b71d76467c40a4e9658233fb0ee288905ec921eabc7fc997aefab7084448238490317d21377e39008e253e47320921c0ceadd01cc564c520d0bcad7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000007af83f049fb9fa574b510109dae6e2f8c0e9d96c729fa4e83cb0e044182d58dc000000000e8000000002000020000000ea632ba65b450b575e1a8541562103caa12e7e254d0557595334d97d8367209320000000cb1fb843232f2d9869dad4132c19dcb504fd203796bec8157b398868cde82e9540000000b11db12d3250336db2f104197f02ae9b3edb32f447450e01567073799a6bcf4aa11c555959ea298102171c6d9e27e634c7a6a3f2ee445f91d83efbf1bb0030fa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD54D071-D6A5-11EE-8554-DE288D05BF47} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415333758" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\default.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2196.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab22B2.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar22C7.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7aec9147fe027742345f17f3946d0c6
SHA1 306294af9f256b10ae286d8026ba85c7df38d4fb
SHA256 47890b96a4c8b647450f3d501f5b4c241c1d015f35a223232592604488101fbd
SHA512 1fd2979436547fac22cdd973d094214dbba0cca32c79eb05832f1b5af00c201d5c6ca34c1e90d9cf7d2e55ce3f64518083e2d5e3df24b3039854f5696c9fb7b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 227aba41c5380f13a64762161fb598fb
SHA1 24bcf45e0d8edd180ee37566fb6b6bf3845edd6c
SHA256 74fbd7b88abd02f8dea231aabee214ac8ceddb0714dfc8f1de525096ce88bda2
SHA512 cd74b41107c29ec2394b740a9423097b7e00932df067da26bef6656b94fb686d29f3c391b14038b5a249070bd8b8fe07d61c835cdde3fdc827dbc2e8601ec314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f6cfd6fe2d39a10f332e7951fb43ccf
SHA1 deed7b74fb948311a824bb5f8ed60fe9dd0e653d
SHA256 e64bfd00d7f4b4c7a4318a908ee81a2c4b780ab165b8e0c23ced54ac2b1b8d04
SHA512 200e3b4844f81c0f1572ef35dd0f77d0a5fe47ee47e9660af98926807c4ed053213e3b10e62b0b9af7770984e509f08fea33ec6a0a295dbb00b4037a773e1de8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d7e24a9f61a7057631e1fb1134be89e
SHA1 aa4b9175978d43f450810dd1b062da164b50786e
SHA256 a5cec03fdc1cf56f928a098a564c7b56fef3023add986e068d14945656ffda20
SHA512 afd075f6910e0d1c5ac877858753dc277ebae0db4d8ddbc98c5ab3035447b03e36f25b290e4bc8c877a582bc5914bbfc1ebdcbbd759e76cc092eadd99fb21fd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce432e346c8f10cc56b49120694f8a1a
SHA1 4ecadc7cb66ac86b6c44d1a2704492858a031fba
SHA256 415b7713e513798add3dfee4d0ea6dfcedad8fdc9b7628caeda27236778eb9f0
SHA512 128ac930f02a081e3bcebb82043cdd9a441bfdbe53fca001acfb2c75a622372dfc9030e41691902cc365760984f115dceff5b6908e067faf0307ccefcbd22618

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5549fb807d2b5965387f2d815fa09283
SHA1 387d6ff6042d4da8b6de1954238a10845bc9ee67
SHA256 5c50a42bcd76edb5cd5d32f3d0283b8e05cf3170fcbd71f29a110715e1b84ea9
SHA512 cf4a41311f12e92175812a97eadf9c79a9f6697c63fa1b18cc0ea1f3ed2a8f249622c6e01a68608972fff97d5e2b1890091e59f29d2ba8498258745e3bad86db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5aa8f15156215f5d6b81b76a62a56ed
SHA1 490bf4e9006c092a4130b9d65e3c6173978da734
SHA256 7175651122993ace504ee4abddec4405b8b2770e896d0ce71574e672fb9a1c33
SHA512 9fcc5b2683b7d3ecf06e1458d572b2c0f0a6c841560f9fa72cd91cb30ba88fbb8e8f43da3672185a2e1cc05c273772b4147a0d5bd7b105e197e5151b34b75e25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11bb36fec880a428d089f2f395fdf0c8
SHA1 86ce8936e00192198c226a58782d416b2adf70e5
SHA256 f9ada2b5785716e286c73d9d881d6b8123a96c41bee391fc6dadef07b37d0146
SHA512 8073b6fd48833f60f9571a796762b2ed6020efab8e1b00e04e8caf8f1b7a83a982e1e4b1359dbf6eae2c0b14340594fb93b654682592096476d8d522bafe1c9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e2cc0bc59aaa13bdb1fc46a514ba0fd
SHA1 1fea33026a6eb2afb45f4d60d4c8ddb1a17889f0
SHA256 bf6a5de500a0f30b2c1743205e90c67467e8de4999314c42c25f0759195bce11
SHA512 917dd17f244e0b326295928ad69ff1f63e3ada8527ef4f29bb906c6cb3ae67b30476e67c50aef64f8ccabedc85fc93ff271971222bda2802efccd83e3a06d4ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6045caa4f415a11e616c65a5d3e6d121
SHA1 81e798cf7e96080ef946070faff28d3e276e14c6
SHA256 483c9858dd11758c7ce1bb992413d3292b77b72a04c0477432ad8e44eeb4128e
SHA512 1dd3a119af1d87767db01b612bd6d629ed82561bdcec310bedd846ee69ad4cdd44165658d1f00db0bde3547c9d506fd271d24b314fe31693977f1b0c72cda0d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd88ff39729c0f8d3e31baebceba16d7
SHA1 d842c140c2ff0f86dc8f5839895400cb98641d93
SHA256 bccaadc67fb33afeedfbf72f504381d5be07185771f9ec9ccb2bd6ca0691e502
SHA512 ec9935e4d08c37d99eac1f25abe2cc557460975a684a1a48c32d9cdb9f6f24b6d4156255c213cf36a68cf92cd3a05ec7eec91f5a2a450498864bb69a4600b764

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8941eb8b40892f01f607b2a12282799
SHA1 00d24c3cc69d0f397edffc326a8f4a551645cea6
SHA256 4e08f7dcb569803f5f75994ddbcda9ba6e9ae597c536d3c064cb4dc4550a8589
SHA512 b601a46fc46e2b3742b21bc55a20b02e1655b7a435a2a122345865edb80711b105015cffa23cea923e69580fe7e4975e1559b39136c142198d2581210f84ac23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6810500b3888c6b257d4b47635ebb12f
SHA1 db5188d5c366d559877be096745fa53ec1a3dde1
SHA256 ec156c88088c8cca8ba46a6c0462e7bb54d771004e86682ff566bb08917b979f
SHA512 e6e0aae3bc5315aedefc82e1a17108c5374dcbabd417a0a7358ed3dfba5d9c3a973cd008be150be780914233ac1e2b2507e4d930ae1c9a3d8ef83d89a66d73b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 060e7290fbb6e50bc5249bff0f2f2ef8
SHA1 9335468e3789d4d4c19c5dc85858cd829e202b30
SHA256 6f87e8e7245d4abe4c0329bc9409e8e4a25c683d707ba508e5d6febcabc7fd51
SHA512 a7be0f07118b40cd4a7d2f1f2084041f23ceb168b6405398dbdfb129798e1dd83995e2a1df8a80ca10aee2b74e40b1379dd95dba01a7db840afe4a49a2070104

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae76815c4d7798900b94a5288ae8dfb1
SHA1 510e6c1c4461a0d4c0a1006503792e296e25add6
SHA256 4227fc57ac5572445bb93989a20db3c709969bde6ea02b6b33e78f0e47674359
SHA512 0c23bf78d3b19261936a3494eedd2c95d3babd8682ca57bcbbe5851bcd41a498c6086605e6d5ad585b7bbe7bfadf350965306d1e2aadd873dc71676a4fec8278

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ad775f95fdacdc62734d3cccce6d387
SHA1 c4245a62715dc12b9b86d339ab93bb348ea2d135
SHA256 7fc29da14e7654c7390069df133f9c6ba28a276427ddf5d034b8c433d16b2bdd
SHA512 8f949f8f9e62759a907ddb77150380c459b9f74ab9cebf79c407336790793659f98122775b01a8d82930e81c0849b8cb2d751df745e1fc190b29b747c56ab5e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e882676c2c94fa6530a1f30634afad9
SHA1 3f93d0707541329e6a52a5f1038355670134b6cd
SHA256 1864d330e69f929d8e2236602a88f6ad17515c3db1c85c7341f4b2257c5dec2a
SHA512 5dd193e841945e00d37064df65c4cd0f585842998b7cc16d523bfe6ace9f1e77f1e0000bcd8a72db9b8d11c05e7d4e49f75a87b23d40a3c89711b525fa3c6f02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1edd2f39d95f2e66d6664e779853fa5f
SHA1 239fa54bb18d6127bb96b4cba30689e5c3eaf568
SHA256 a5c25946cb78a952f224107cb8313c8f8726de3897103f6c89c23beef218960d
SHA512 f5b976032e4749e528e0f41121a228d130303cd0c0f58395dc2cf8209c0f107fe3a22636a8ca1b62066d7548cb1d62936463ff0b3f19b96a457d78a2bb6ba4c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cfda886c35a22de92f8c56a499933eb
SHA1 8266be75d85f4f6b6a7cf3bdba6e35a5b337c466
SHA256 37fe79ac44e6cb71627bb3e5957299587dbd0c86c6c5163a0445fca6008744f2
SHA512 a8aa6096792a8c5ccb1eb38283d48a75956e4d037be2734274b9e77cb34f98b2155321e0455504dd9a286275ed323c7076405feb6caf0f8b88d9f38bcb586b38

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe

"C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe"

Network

N/A

Files

memory/1968-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1968-1-0x0000000000400000-0x0000000000548000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe

"C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe"

Network

N/A

Files

memory/1824-1-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1824-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1824-2-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\default.htm

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\default.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3968 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4776 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4536 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5512 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5848 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6020 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 88.221.135.81:443 bzib.nelreports.net tcp
GB 92.123.241.137:443 www.microsoft.com tcp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 81.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
GB 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 167.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
GB 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\非常世纪资源网.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\非常世纪资源网.url

Network

N/A

Files

memory/1692-0-0x0000000001C40000-0x0000000001C41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win7-20240221-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe

"C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe"

Network

N/A

Files

memory/1624-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1624-2-0x0000000000400000-0x000000000064B000-memory.dmp

memory/1624-4-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe

"C:\Users\Admin\AppData\Local\Temp\PersonalAssist.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 209.85.203.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 95.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1352-0-0x0000000000400000-0x000000000064B000-memory.dmp

memory/1352-1-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/1352-2-0x0000000000400000-0x000000000064B000-memory.dmp

memory/1352-4-0x0000000000400000-0x000000000064B000-memory.dmp

memory/1352-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe

"C:\Users\Admin\AppData\Local\Temp\RageDistrictInfo.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2216-0-0x0000000000400000-0x0000000000548000-memory.dmp

memory/2216-1-0x0000000000740000-0x0000000000741000-memory.dmp

memory/2216-2-0x0000000000400000-0x0000000000548000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe

"C:\Users\Admin\AppData\Local\Temp\RageFunFont.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4696-0-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4696-1-0x0000000000400000-0x000000000050B000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RageIE.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RageIE.exe

"C:\Users\Admin\AppData\Local\Temp\RageIE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/1800-0-0x0000000000820000-0x0000000000821000-memory.dmp

memory/1800-1-0x0000000000400000-0x0000000000522000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-29 01:58

Reported

2024-02-29 02:00

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\非常世纪资源网.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\非常世纪资源网.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A