Malware Analysis Report

2025-08-11 02:18

Sample ID 240306-s7mkzsce7y
Target crDroidAndroid-14.0-20240213-dream2lte-v10.2.zip
SHA256 6cf58edd2a7dbdd33af6e3561fa86fe2b7d9d7a8e64f6ef94cc23417002230ba
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

6cf58edd2a7dbdd33af6e3561fa86fe2b7d9d7a8e64f6ef94cc23417002230ba

Threat Level: Likely benign

The file crDroidAndroid-14.0-20240213-dream2lte-v10.2.zip was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-06 15:49

Signatures

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:53

Platform

ubuntu2004-amd64-20240221-en

Max time kernel

4s

Max time network

10s

Command Line

[/tmp/install/bin/backuptool.functions]

Signatures

N/A

Processes

/tmp/install/bin/backuptool.functions

[/tmp/install/bin/backuptool.functions]

Network

Country Destination Domain Proto
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 91.189.91.81:80 security.ubuntu.com tcp
US 172.67.10.205:443 deb.nodesource.com tcp
US 1.1.1.1:53 _https._tcp.motd.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.esm.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:55

Platform

android-x64-20240221-en

Max time network

16s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:58

Platform

macos-20240214-en

Max time kernel

144s

Max time network

198s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/install/bin/backuptool.sh"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/install/bin/backuptool.sh"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/install/bin/backuptool.sh"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/install/bin/backuptool.sh]

/bin/zsh

[/bin/zsh -c /Users/run/install/bin/backuptool.sh]

/Users/run/install/bin/backuptool.sh

[/Users/run/install/bin/backuptool.sh]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.icloud.findmydeviced]

/usr/libexec/findmydeviced

[/usr/libexec/findmydeviced]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
GB 17.253.29.204:80 tcp
US 8.8.8.8:53 8-courier.push.apple.com udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 2-courier.push.apple.com udp
US 8.8.8.8:53 27-courier.push.apple.com udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
NL 20.50.201.200:443 mobile.events.data.trafficmanager.net tcp
AU 40.79.173.40:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 151.101.3.6:443 apis.apple.map.fastly.net tcp
US 8.8.8.8:53 50.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 25.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 12-courier.push.apple.com udp
US 8.8.8.8:53 18.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 9.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 gb-courier-4.push-apple.com.akadns.net udp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 help.apple.com udp
GB 23.44.233.108:443 help.apple.com tcp
GB 23.44.233.108:443 help.apple.com tcp
US 8.8.8.8:53 24-courier.push.apple.com udp
US 8.8.8.8:53 37-courier.push.apple.com udp
US 8.8.8.8:53 26-courier.push.apple.com udp
US 8.8.8.8:53 46.courier-push-apple.com.akadns.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:55

Platform

debian12-armhf-20240221-en

Max time network

81s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:59

Platform

debian12-armhf-20240221-en

Max time network

242s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:56

Platform

win11-20240221-en

Max time kernel

133s

Max time network

193s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\install\bin\backuptool.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000055584568110050524f4752417e310000740009000400efbec5525961555845682e0000003f0000000000010000000000000000004a00000000000edb6c00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewID = "{BDBE736F-34F5-4829-ABE8-B550E65146C4}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewVersion = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\LogicalViewMode = "5" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 63031f00e902d5dfa323db02040000000000d70200003153505305d5cdd59c2e1b10939708002b2cf9ae0b02000012000000004100750074006f004c006900730074000000420000001e000000700072006f007000340032003900340039003600370032003900350000000000c3010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000bb0014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008c0031000000000055584568110050524f4752417e310000740009000400efbec5525961555845682e0000003f0000000000010000000000000000004a00000000000edb6c00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001f00530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d00650000001400000094798cf70b0000007700000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000021000000530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000000f032a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c40f030000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "18874433" C:\Windows\system32\OpenWith.exe N/A
Key created \Registry\User\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\NotificationData C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Mode = "8" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 39031f00e902d5dfa323db02040000000000d70200003153505305d5cdd59c2e1b10939708002b2cf9ae0b02000012000000004100750074006f004c006900730074000000420000001e000000700072006f007000340032003900340039003600370032003900350000000000c3010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000bb0014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008c0031000000000055584568110050524f4752417e310000740009000400efbec5525961555845682e0000003f0000000000010000000000000000004a00000000000edb6c00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001f00530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d00650000001400000094798cf70b0000007700000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000021000000530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000000f030000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\install\bin\backuptool.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 1d1493f23d2f53ebe54388c26827b956
SHA1 759ff02cc20ac503801c1aa685aaa029a2d1c48e
SHA256 3d1587c82cad40563350c76290db74ffe29865efa5a97db86050fdfb4e5465c0
SHA512 4ee911b5111ed32eeb5b97127a17ad4f3cc0691d3a87553b3ea487d0cce1bb072a1492342b1bdea799137457c2f38855aa425fe88ad868a2d695dc136fff533f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 1e5735476ba7c6a1d8fc63cf4f76aeec
SHA1 5912829acd338f3446cc7d97f056f4021e8f9015
SHA256 c743f8e9dcbe8466b74c92c2825a73100fef11b8279f0af6bb8d007af018c80f
SHA512 f587f36a5935268992c8bbac013229667c695eb0401906be36b2970efe5e7acbb94db14f519ab1baca6bf09470f29aad88eba4dbce76080f88e99fbc4a62e5f5

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:54

Platform

ubuntu2004-amd64-20240221-en

Max time kernel

23s

Max time network

82s

Command Line

[/tmp/install/bin/backuptool.sh]

Signatures

N/A

Processes

/tmp/install/bin/backuptool.sh

[/tmp/install/bin/backuptool.sh]

Network

Country Destination Domain Proto
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 91.189.91.82:80 security.ubuntu.com tcp
US 91.189.91.81:80 security.ubuntu.com tcp
US 91.189.91.83:80 security.ubuntu.com tcp
GB 185.125.190.39:80 security.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
IE 54.247.62.1:443 motd.ubuntu.com tcp
IE 34.243.160.129:443 motd.ubuntu.com tcp
IE 34.254.182.186:443 motd.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.esm.ubuntu.com udp
GB 185.125.190.36:80 security.ubuntu.com tcp
IE 54.217.10.153:443 motd.ubuntu.com tcp
IE 54.171.230.55:443 motd.ubuntu.com tcp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 1.1.1.1:53 ftp.bit.nl udp
US 104.22.4.26:443 deb.nodesource.com tcp
US 104.22.5.26:443 deb.nodesource.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:56

Platform

win11-20240221-en

Max time kernel

69s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\install\bin\backuptool.functions

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\LogicalViewMode = "5" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewID = "{BDBE736F-34F5-4829-ABE8-B550E65146C4}" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005558327c110050524f4752417e310000740009000400efbec55259615558327c2e0000003f0000000000010000000000000000004a0000000000f5335a00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000ed30bdda43008947a7f8d013a47366226400000078000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Key created \Registry\User\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\NotificationData C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 39031f00e902d5dfa323db02040000000000d70200003153505305d5cdd59c2e1b10939708002b2cf9ae0b02000012000000004100750074006f004c006900730074000000420000001e000000700072006f007000340032003900340039003600370032003900350000000000c3010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000bb0014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008c003100000000005558327c110050524f4752417e310000740009000400efbec55259615558327c2e0000003f0000000000010000000000000000004a0000000000f5335a00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001f00530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000140000001e73bf680c0000007700000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000021000000530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000000f030000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "18874433" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\IconSize = "32" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 63031f00e902d5dfa323db02040000000000d70200003153505305d5cdd59c2e1b10939708002b2cf9ae0b02000012000000004100750074006f004c006900730074000000420000001e000000700072006f007000340032003900340039003600370032003900350000000000c3010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000bb0014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008c003100000000005558327c110050524f4752417e310000740009000400efbec55259615558327c2e0000003f0000000000010000000000000000004a0000000000f5335a00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001f00530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000140000001e73bf680c0000007700000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000021000000530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000000f032a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c40f030000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewVersion = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\install\bin\backuptool.functions

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:55

Platform

android-x64-20240221-en

Max time network

17s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-06 15:46

Reported

2024-03-06 15:58

Platform

macos-20240214-en

Max time kernel

134s

Max time network

188s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/install/bin/backuptool.functions"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/install/bin/backuptool.functions"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/install/bin/backuptool.functions"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/install/bin/backuptool.functions]

/bin/zsh

[/bin/zsh -c /Users/run/install/bin/backuptool.functions]

/Users/run/install/bin/backuptool.functions

[/Users/run/install/bin/backuptool.functions]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 36.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.72.131:443 tcp
US 8.8.8.8:53 19.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 25-courier.push.apple.com udp
US 8.8.8.8:53 44-courier.push.apple.com udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 52.168.117.171:443 mobile.events.data.trafficmanager.net tcp
US 20.189.173.13:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 7-courier.push.apple.com udp
US 8.8.8.8:53 50-courier.push.apple.com udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.200.147.24:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 13-courier.push.apple.com udp
US 8.8.8.8:53 28-courier.push.apple.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.44.233.108:443 help.apple.com tcp
GB 23.44.233.108:443 help.apple.com tcp
US 8.8.8.8:53 46.courier-push-apple.com.akadns.net udp
IE 17.57.146.87:5223 28-courier.push.apple.com tcp
US 8.8.8.8:53 44.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 35-courier.push.apple.com udp
GB 17.57.146.8:5223 35-courier.push.apple.com tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.77.204:443 gsp-ssl.ls.apple.com tcp
DE 17.253.79.203:443 gsp-ssl.ls.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1202.xml

MD5 f627cf4820da06be8e6ff3fdec6ebfee
SHA1 993d8ec88721b9e76c3fe1f5987338a61b452bf8
SHA256 f1d2905b871b9b80172b7c9dc298c1a3dd355e6ae633f77562f4e06ed52a54e7
SHA512 bf698aa0eee296df872b91432670af719bda88be3b6d210a567b500da1cedc0e07055a805c2331ccacea0a8a17396e2e37b4bf70894b9052723049c96083001f

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 a1c28cb85b8f6ba22efc401898b64fe9
SHA1 9bfd01ca8a002b80dd804033d5e04ff4ba436701
SHA256 72d3cda880da8cb9e0a61b5c065ed33e810628b7bad41899f7b6db47b98865ec
SHA512 c3cda6568880694d706c80de00a24c72927cd08bb99d579ee661a8d0d18e1424f21611a2528a1f5f7215e36248d18b887cb4d819f346208d9cd0347d4dfe981a