Analysis Overview
SHA256
23a91642bbbfc45279d3475e7391117905673b02fb166ba82dd875e6688c876d
Threat Level: Known bad
The file Office_2013-2024_C2R_Install.rar was found to be: Known bad.
Malicious Activity Summary
Blocklisted process makes network request
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:05
Platform
win10v2004-20240226-en
Max time kernel
580s
Max time network
601s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{25DCA3EE-F519-11EE-ABF1-CA9969386483} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099173" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4198903538" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e181000000000200000000001066000000010000200000007714dd86b42fe1b6f1447109b12bec1b1ee334ab325c60194fb9bd3bac2c96a1000000000e8000000002000020000000a536f17f8da8e8d56e55723a1fc8475b57ed511d6d5d1af80f8e703333167dba20000000b3401590b14c72d26190aa9e9ee00330aae38c07360e089e2a0c6cd398f24c5940000000c57db25b3ac5ab7a72fd10e5bf13dc6aa94f44b1cbca9e44465484801dd00cafd45275f333260549cb1aa982228eb4a9972112c0c17356586ce5e39a5ebb2bd2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e18100000000020000000000106600000001000020000000bfdeff215914762b50779bdac5d7eb06ed50a50a83081d66b725eb4d7668a8e0000000000e800000000200002000000058a2472cc1ca861359e197ab6a3982cc6c54efc1ebc424d4921379bba94c6bab200000005306260eb8e1b7f4ba1f6d35718909568c6cb17a775c8ba69b2f6be9808a633e40000000de59abb68e1acf0f67fce27cad6b1ecfa246bff76f7311d489470625fd56080d24130d29ad7b5f194e1a000a636c37eca0baa1d453ccf24694b4c34561c0dcd1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{25D7DF3F-F519-11EE-ABF1-CA9969386483} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4198903538" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099173" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4068effa2589da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099173" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099173" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4198903538" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503ce8fa2589da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4198903538" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\system32\mspaint.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall.exe"
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe
"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompareReset.jfif" /ForceBootstrapPaint3D
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\EnterEnable.gif
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\CompareReset.jfif
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:116 CREDAT:17410 /prefetch:2
C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\OptimizeSearch.reg"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ResizeSet.xltm"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RestartGrant.csv"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
C:\Windows\SysWOW64\expand.exe
expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe
"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"
C:\Windows\system32\reg.exe
"C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\ver.txt') }"
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 235.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 4.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 117.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
memory/4372-0-0x00000000161C0000-0x00000000161C1000-memory.dmp
memory/4372-1-0x00000000161D0000-0x00000000161D1000-memory.dmp
memory/4372-2-0x0000000000B80000-0x0000000001B80000-memory.dmp
memory/2840-5-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-6-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-7-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-11-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-14-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-13-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-15-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-12-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-16-0x0000016134120000-0x0000016134121000-memory.dmp
memory/2840-17-0x0000016134120000-0x0000016134121000-memory.dmp
memory/3104-18-0x0000022843560000-0x0000022843570000-memory.dmp
memory/3104-22-0x00000228435A0000-0x00000228435B0000-memory.dmp
memory/3104-29-0x000002284C0C0000-0x000002284C0C1000-memory.dmp
memory/3104-31-0x000002284C140000-0x000002284C141000-memory.dmp
memory/3104-33-0x000002284C140000-0x000002284C141000-memory.dmp
memory/3104-34-0x000002284C1D0000-0x000002284C1D1000-memory.dmp
memory/3104-35-0x000002284C1D0000-0x000002284C1D1000-memory.dmp
memory/3104-36-0x000002284C1E0000-0x000002284C1E1000-memory.dmp
memory/3104-37-0x000002284C1E0000-0x000002284C1E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{25D7DF3F-F519-11EE-ABF1-CA9969386483}.dat
| MD5 | a20988307bed066f66a527eb0cda5a41 |
| SHA1 | 3f3bd3e42b4eee88a894fc980cfc085c1c74cdce |
| SHA256 | c9dbf8717cbdec2780ef4f592632acc234f18403ae76798e5660844d76c44264 |
| SHA512 | db670ac98800f84a8c2a703188b78b31d0483fc8326a3bab5c02f5eeb10562387a4d8fca61a22d2392f253a70bb0af1946a48d9ec9abde42a974cea0927c2648 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{25DCA3EE-F519-11EE-ABF1-CA9969386483}.dat
| MD5 | a83a32a56f0ebce81b8b125f27864232 |
| SHA1 | 2dfe8162b924f18f68ffbefc8a4c07e08be7a4bc |
| SHA256 | 3abcf043787d414dd25e57c3635a113b50d8bf464fa91f7d98bd32a0f13515f6 |
| SHA512 | 978c2204a95ccf77a4dca0f4609fa08176d1b81a41a6899783d0fef021ca57e424f696f6af6bd6dd05811d881a4b4ab4dc8143398c7cc9660a3e273714882e0d |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{C974629B-D4B1-11EE-ABE9-62A9A9A84F8B}.dat
| MD5 | 9e094b62b44fe1557f6a5040611f7d02 |
| SHA1 | ad4a8f8a1ceb817ad5f5a25e3283fb8daf4b9cfb |
| SHA256 | 29d7fd72c20eff21c182211b96505e0be84c7218f61dab2ac3184b7fff877752 |
| SHA512 | 8f14b844c25935a11f7768dfa1e6ba934eb86145ea18f6d0466d1cf8e9b1494293f575dbf80eb9b7271b0dad1f04b7749e2eb6dc9d859c917551b9f4a7369ac1 |
C:\Users\Admin\AppData\Local\Temp\~DFEB027B40F12E8D82.TMP
| MD5 | c2a1946ecb70f2138f6bd88c45aff2eb |
| SHA1 | 8e349688bb9fca4b92c50eb53348100d4383e54b |
| SHA256 | ffbef5cfe81c2a449d7f0b72447a141854c945e807e14194c71f94a963b2eead |
| SHA512 | ff94dd70bb8927fa391410e8b727d10818917e5f9c849ce2d0cc37d1f06806d867fd3bcfc61f637150efa912a97f351fcbbf6e083cdee37896916683ee403020 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{25DCA3F2-F519-11EE-ABF1-CA9969386483}.dat
| MD5 | 76b4dba778942b63b215eecb25a9e666 |
| SHA1 | 0d758b0cbffa5d329164ba67bd4aaef4768c3d54 |
| SHA256 | 1a4d56ddfc7842984c90286f500b60a58c5ab8c131a8da06288a081f164e1cff |
| SHA512 | 8eaa7ba006b528d019618af0bf314420c5965ea9e3d526ef944e23e363b293f85246c4df385d95358b7280bd1481a7023d81c6a3375b7e44a1655052bc2f63f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 8f3eb06776d4e1dfe1e742cb70e22357 |
| SHA1 | 5ab03e56d3cfe9951e9598dd72ff258065253672 |
| SHA256 | bdb9f9d35fdac68cfe4a2f615e01d10dc89baec837fe7515b70a6cfedb27d87b |
| SHA512 | 450c5dccfbe02ac221b9b05b7f1af43ad9c83701120f8134dca66c03c9e20e38fedd76a0e62a47943044ebb00de338fa001ab662481c12ed61902b9f838c6a27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 69fe9b744d7fe59153271b1ba99cd1ee |
| SHA1 | bb398a844441c106950228e0a1ec4303d0747eec |
| SHA256 | 13d98a37ac4690c809d86dc1c6aa344f2a0a1af10491c7cad93350512ff601ad |
| SHA512 | 8e59f38452bce95bb5272ca3236e79c8eeeea3e215d24a9d57577417fd3cfd7a16e4a7640766319275cc54d3084f3c8021b8442fc8f62155ff9e98682b383bc8 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver7C46.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
memory/3004-89-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/3004-90-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/3004-91-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-92-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/3004-93-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-96-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-95-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/3004-100-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-99-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/3004-101-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/1000-103-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/1000-105-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/1000-107-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/1000-109-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-106-0x00007FFDD7E20000-0x00007FFDD7E30000-memory.dmp
memory/3004-110-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/1000-111-0x00007FFDD7E20000-0x00007FFDD7E30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | e9e8ef6d884c4baf8a365c14b16eccd0 |
| SHA1 | 346ba06e3cffd9953611d9dc20b8dcfc7ef98ce4 |
| SHA256 | bcdbdb546948b87e1ff78b3929ac5bf0d470bea1d2b9e81a44cf3080a4050a8b |
| SHA512 | 997e14955568ed1f433a00983d59c1b2a7358ae9e6eccde3489f6c67f3bea83d9571175bf3ec424cb0c5a1e53e8c3ef24112a61a09f3d60b7fa1a32edc096bca |
memory/1000-136-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/1000-138-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/1000-139-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/1000-137-0x00007FFDDA1B0000-0x00007FFDDA1C0000-memory.dmp
memory/1000-140-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
| MD5 | b09071827226634b930790d58a65bea0 |
| SHA1 | 09b2596e5b3ac413b9dcd78d4ff3cbf2a2de1056 |
| SHA256 | ca57a374475c90348233201e5b216243447a7060255fae1e7fdb9647546ee821 |
| SHA512 | 9f4063b8c300b53f141b371a494643fc0b3424072a5c119bbb8fa4184367c9e734074dbb790d6d07030b94d671789c5c62422a5b203ec3ae11a3d506d7d8a32c |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
| MD5 | d2dd03ac0df602a823e95671112e34eb |
| SHA1 | 8c5b2141114dcbb8803c5f9190632b87a18e1c36 |
| SHA256 | 6a84bf76df017173e58a7ae30c5385e69a8b35f71737b62c16abe22093253a1d |
| SHA512 | 5f8437c722120ada5b4585e3fb875260dfabfcf5e3d66220bb0e2683ed7fdade6c959f5916079d00541b54ce504859c3cab1e1fdb6df2a04b1995895d659651a |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\70FBCE97-368F-40A2-AEDB-ED21793E74D5
| MD5 | 68591d26ec8e7d380a5e1433445331f4 |
| SHA1 | c1ec9d4946041c3b64c3f62d551732505922162b |
| SHA256 | 2ee722bffa8e0856384dcc52775ff7d7ec82ba1eb20ecf5b65b7dfd8909b99fa |
| SHA512 | 5e8e8d63f13c58d32b059a72b6f7a3c99e9f33bdc500c17e5689244a862f3539edb7960f1f14776ccdf483b9997de607ad1a313cbcfa3232fdfab0993e150d31 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 67f36f3c0ac40b3318b0241f929fe06b |
| SHA1 | 7b9aee92f248b674b974a8469fd0b0ddddf6243d |
| SHA256 | 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2 |
| SHA512 | d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279 |
memory/3004-149-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-150-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-151-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-160-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
| MD5 | 8665de22b67e46648a5a147c1ed296ca |
| SHA1 | b289a96fee9fa77dd8e045ae8fd161debd376f48 |
| SHA256 | b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f |
| SHA512 | bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 7c352be9a7e962f88ffc9b58fc679e15 |
| SHA1 | d3a7c5a48b4258fbd2aaac9d4167cac42d093e36 |
| SHA256 | 4972b3053f77f6694d8fe06ed817a4466826adf0af8e74b6a46e35ddbe4ba43a |
| SHA512 | f2efbec292d18e618ca22c39506c358c06b1861f0706103aea1274733d26602e3bb7ca216ef5c9c4c89ccf76ab3a6b61fa84f7a186e64267ef7fea49c5c3e30d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 7273320b02eccf4cd8a40aec38008d3d |
| SHA1 | 33276b43512652daa81bdd866beea142c29868a5 |
| SHA256 | 211f94b774f7374fd098449f9c48c25fcc4aebd304464aaba531af7ad7697302 |
| SHA512 | 477bfed1334bdb3b788b756a4d5ef6f28678f698e2c1a00fa403b7a37945aa4b8ace34f7066cc807bf077ed4880e903a25171a8d082c014917c2ee6fc9d17fd9 |
memory/3004-171-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
memory/3004-172-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp
\??\c:\users\admin\appdata\roaming\servicedata\c2gt4h.tmp
| MD5 | 9533ba8d9930f60f0b6257bdb79b2384 |
| SHA1 | b0b9dc920e83343784e818dcf4d9607de51118bb |
| SHA256 | 6a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131 |
| SHA512 | e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d |
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\OInstall1.exe
| MD5 | 79b79c931da142894da7ba535f00f624 |
| SHA1 | 43e1ba4454dc112425eec454d46af409c241ee2a |
| SHA256 | e20e04ab7f5c5035d49ba6ca27e99b8f6ba85aa9392464dee3a9ebf3ef0dc4fa |
| SHA512 | 788c7219ff52c563bfd3b3804f7eab96908f218dff1ecb2763e09adcccfe8eb1c73b744de20bd45cde448e7f4adccb5c1902c2d2348e078ec3b0b8491cf751dc |
memory/1340-201-0x0000000002FC0000-0x0000000002FF6000-memory.dmp
memory/1340-200-0x0000000072940000-0x00000000730F0000-memory.dmp
memory/1340-204-0x0000000005760000-0x0000000005D88000-memory.dmp
memory/1340-205-0x0000000002FA0000-0x0000000002FB0000-memory.dmp
memory/1340-203-0x0000000002FA0000-0x0000000002FB0000-memory.dmp
memory/1340-206-0x00000000055E0000-0x0000000005602000-memory.dmp
memory/1340-207-0x0000000005E80000-0x0000000005EE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ap4j4xfm.g0l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1340-208-0x0000000005F20000-0x0000000005F86000-memory.dmp
memory/1340-218-0x00000000060B0000-0x0000000006404000-memory.dmp
memory/1340-219-0x0000000006560000-0x000000000657E000-memory.dmp
memory/1340-220-0x0000000006620000-0x000000000666C000-memory.dmp
memory/1340-221-0x0000000007DA0000-0x000000000841A000-memory.dmp
memory/1340-222-0x0000000006A90000-0x0000000006AAA000-memory.dmp
memory/1340-226-0x0000000072940000-0x00000000730F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ver.txt
| MD5 | 1c51eec57ec7a2dc011f14ac66ba53fa |
| SHA1 | 7d48217636faf1616c78221b97a665c689b63120 |
| SHA256 | 38fab2d7300ae4542c2dbe24f45fb7f09ca91e8648b2d1261d687bd84bb06167 |
| SHA512 | 958dc900dadaa79d3206ae96e1fb2d9278eafc82cdea2621e1bfd53536261398bae1716291100f98e2a34bfa217526eb802ed65ba98c8d079fc8d70556ba1dad |
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
| MD5 | 0adb9b817f1df7807576c2d7068dd931 |
| SHA1 | 4a1b94a9a5113106f40cd8ea724703734d15f118 |
| SHA256 | 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b |
| SHA512 | 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a |
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg
| MD5 | b36280ab2514b1772d2058fe14633850 |
| SHA1 | 57b4b40365eb4e26aa9f9125acc9965210776195 |
| SHA256 | a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46 |
| SHA512 | 7c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:06
Platform
win10v2004-20240319-en
Max time kernel
593s
Max time network
604s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\Configure.xml"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4208 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| NL | 142.251.39.110:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 142.250.185.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/2068-0-0x00007FF99C650000-0x00007FF99C660000-memory.dmp
memory/2068-1-0x00007FF9DC5D0000-0x00007FF9DC7C5000-memory.dmp
memory/2068-2-0x00007FF9DC5D0000-0x00007FF9DC7C5000-memory.dmp
memory/2068-3-0x00007FF9D9DD0000-0x00007FF9DA099000-memory.dmp
memory/2068-4-0x00007FF99C650000-0x00007FF99C660000-memory.dmp
memory/2068-5-0x00007FF9DC5D0000-0x00007FF9DC7C5000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:06
Platform
win10v2004-20240226-en
Max time kernel
0s
Max time network
2s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\Uninstall.xml"
Network
Files
memory/3944-0-0x00007FFD90AB0000-0x00007FFD90AC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:06
Platform
win10v2004-20240226-en
Max time kernel
449s
Max time network
452s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe
"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\activate.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
C:\Windows\SysWOW64\expand.exe
expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
| US | 8.8.8.8:53 | brseven7sr.top | udp |
Files
memory/1680-0-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/1680-1-0x0000000000700000-0x0000000000701000-memory.dmp
memory/1680-2-0x0000000000710000-0x0000000001710000-memory.dmp
\??\c:\users\admin\appdata\roaming\servicedata\c2gt4h.tmp
| MD5 | 9533ba8d9930f60f0b6257bdb79b2384 |
| SHA1 | b0b9dc920e83343784e818dcf4d9607de51118bb |
| SHA256 | 6a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131 |
| SHA512 | e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d |
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
| MD5 | 0adb9b817f1df7807576c2d7068dd931 |
| SHA1 | 4a1b94a9a5113106f40cd8ea724703734d15f118 |
| SHA256 | 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b |
| SHA512 | 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a |
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg
| MD5 | b36280ab2514b1772d2058fe14633850 |
| SHA1 | 57b4b40365eb4e26aa9f9125acc9965210776195 |
| SHA256 | a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46 |
| SHA512 | 7c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:06
Platform
win10v2004-20240226-en
Max time kernel
444s
Max time network
447s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x64\cleanospp.exe
"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x64\cleanospp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:06
Platform
win10v2004-20240226-en
Max time kernel
576s
Max time network
569s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x64\msvcr100.dll,#1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
Files
memory/3368-0-0x0000021573E50000-0x0000021573E60000-memory.dmp
memory/3368-16-0x0000021573F50000-0x0000021573F60000-memory.dmp
memory/3368-32-0x000002157C2C0000-0x000002157C2C1000-memory.dmp
memory/3368-34-0x000002157C2F0000-0x000002157C2F1000-memory.dmp
memory/3368-35-0x000002157C2F0000-0x000002157C2F1000-memory.dmp
memory/3368-36-0x000002157C400000-0x000002157C401000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:08
Platform
win10v2004-20240226-en
Max time kernel
418s
Max time network
452s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x86\cleanospp.exe
"C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x86\cleanospp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
memory/4668-0-0x0000000000320000-0x0000000000327000-memory.dmp
memory/4668-1-0x0000000000320000-0x0000000000327000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-07 19:50
Reported
2024-04-07 20:08
Platform
win10v2004-20240226-en
Max time kernel
599s
Max time network
602s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2404 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2404 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x86\msvcr100.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Office_2013-2024_C2R_Install\files\x86\msvcr100.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |