Analysis Overview
SHA256
2e392a0fddd485b24600022bd5a5b99aa50d4104f7947afcd766f3627e06fc62
Threat Level: Known bad
The file 16520114153.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
Malformed or missing cross-reference table in PDF
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 00:36
Signatures
Malformed or missing cross-reference table in PDF
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-11 00:34
Reported
2024-04-11 00:46
Platform
win10v2004-20240226-en
Max time kernel
599s
Max time network
594s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3316 set thread context of 5020 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3208 set thread context of 3848 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 3208 set thread context of 3760 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 2084 set thread context of 1948 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 2084 set thread context of 744 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\g2m.dll
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| RS | 45.89.55.130:4047 | clepdhunt.duckdns.org | tcp |
| RS | 45.89.55.130:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 130.55.89.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | textbin.net | udp |
| US | 148.72.177.212:443 | textbin.net | tcp |
| US | 8.8.8.8:53 | 212.177.72.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| RS | 45.89.55.130:4047 | clepdhunt.duckdns.org | tcp |
| RS | 45.89.55.130:4047 | clepdhunt.duckdns.org | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 148.72.177.212:443 | textbin.net | tcp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
memory/3316-1-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/3316-2-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/5020-3-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-4-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-5-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3316-7-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/5020-8-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-9-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-10-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-11-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-12-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-13-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-14-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-18-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-17-0x0000000000A70000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs
| MD5 | 23d7b25f8233971afe7801edb6615eaa |
| SHA1 | dd3e2f1fecc1d18af047045dcba2a73359b7019f |
| SHA256 | ecac17cda633793bbe91741f4e8ec371000d82ba9cfeab0ee79c9a84d9a0a62c |
| SHA512 | 090e4e3bb0cfdbda4f40c3ab76d3d11cb95c26e2069a4a05628875eb794f1b48904d353865c51b68c93b9c57d497abcb2a0f837e6611d3fc955511685cc0f3f1 |
memory/5020-23-0x0000000000A70000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPBMA.vbs
| MD5 | 08573053b297406719cdb275f62815c8 |
| SHA1 | 0d82ae88fc747cfacd3a7fd80cb52d9e7f0eaa2f |
| SHA256 | b89ba728b322bff609cc24052896f31c11091a82296e0351769543437b0788bb |
| SHA512 | 6feb1b5a0fee7f3e5d1fb2c76a8a4565e6d6f5441e2e156fbd88ef5324c823a95b2e767f8e2948e899793ba3edcc438f9afdc03fdca8dddb3d7a6537f621505d |
C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd
| MD5 | 190bb5d0398a86cffba0566aad524749 |
| SHA1 | cfb0913a6a8ca4404fc94f0875a3e1b7ae222d60 |
| SHA256 | bf6b4681cb1ea2e7d4e4571a7f80c3a50c8788618cf6437616aefa93b491423b |
| SHA512 | d4be5e0fff7f05ad1730908181e8e1889772a03ae72d5c691bdfa4bab584c1e3dd62124b59222c110d74f3884d73bfdeaf316618a3be05a6ffde4fc3ccefbdaf |
memory/3208-49-0x0000000002E10000-0x0000000002E46000-memory.dmp
memory/3208-51-0x0000000003310000-0x0000000003320000-memory.dmp
memory/3208-50-0x0000000072CA0000-0x0000000073450000-memory.dmp
memory/3208-52-0x0000000003310000-0x0000000003320000-memory.dmp
memory/3208-53-0x0000000005980000-0x0000000005FA8000-memory.dmp
memory/3208-54-0x0000000005870000-0x0000000005892000-memory.dmp
memory/3208-55-0x0000000006060000-0x00000000060C6000-memory.dmp
memory/3208-56-0x00000000060D0000-0x0000000006136000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etej0ey4.xc2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3208-66-0x0000000006330000-0x0000000006684000-memory.dmp
memory/3208-67-0x0000000006710000-0x000000000672E000-memory.dmp
memory/3208-68-0x0000000006740000-0x000000000678C000-memory.dmp
C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps1
| MD5 | a77c5e1a90d97c8c16ff8748fc668b3c |
| SHA1 | 611679d8a5e1e5bcaf5cdf3148947f0aa0650af8 |
| SHA256 | 9dadb75e08649354b0e891ed8c3a0fb0cc515dbcc79c38f8da0abacd016cbae1 |
| SHA512 | 90669e3a22af8603d754d6bd52c9065e190126e98d41f52a4d729a29afe09e2e4559256a87f3d3715c55087e4c2e61e50ad3f2f314624ff64b83072aa1582bab |
memory/3208-71-0x0000000006C60000-0x0000000006C7A000-memory.dmp
memory/3208-70-0x0000000007F40000-0x00000000085BA000-memory.dmp
memory/3208-72-0x0000000007970000-0x0000000007A06000-memory.dmp
memory/3208-73-0x00000000078D0000-0x00000000078F2000-memory.dmp
memory/3208-74-0x0000000008B70000-0x0000000009114000-memory.dmp
memory/3208-76-0x00000000014E0000-0x00000000014F0000-memory.dmp
memory/3208-77-0x0000000007BB0000-0x0000000007C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/3848-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3760-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3760-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3760-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3208-97-0x0000000072CA0000-0x0000000073450000-memory.dmp
memory/3848-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-109-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3848-110-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-111-0x0000000000A70000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\Start Menu\Programs\Startup\WindowsServices-QCEFU.lnk
| MD5 | ba94bb345c24a99c07babfcd399f1e06 |
| SHA1 | b32601d93fccb9d1254b32f30ba3603abc6b9b3e |
| SHA256 | 45b60007f0a3217739ea128330dd5838ef88d34de0135ccf228fd1714dc6823e |
| SHA512 | 0d61439cf183e66c67e1a854ffea80e120952990e1fd65b48592dd4e2ace5d7a2e8e4d11e26ca3322361498a4166e925696355155b93356bcc8b2db6f1b06992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 18476bf2c6a14941d249c0bfbe2049bc |
| SHA1 | 9a35a7b51bcafcb8a3ccfa90e5c3dddffcc37041 |
| SHA256 | a9a13a561eb86d6962774d4164c422319b4b099bac6987f7c79e33edf86f8339 |
| SHA512 | 9e8adca58b8a57cb1e16bc121394158d583c369b9bca87353392ed45acad4832721afcfcda7ad7f66b434cb2104bde1dd97b88d3de6a93e716a794aa6d58ba83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFF36071456820AC60FD568DDF18F256
| MD5 | 5d3fff1b9b0b50c2d1b978b5e26fe28d |
| SHA1 | 8c382cb42267ee979a412bc0a950e67b91822fc3 |
| SHA256 | 02a302fb8ae7cdd340de1726f1e89bd67b012dc311e7f1e555be28bdae3f3ca7 |
| SHA512 | 3848ba48b10eeee832fe18d3d8a5645ccbf0ce294e05fbcdacae19285a12524d1c246fbce6507345a987f5998ab6361169aa4f0977afbc5c57249c9a350f101c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFF36071456820AC60FD568DDF18F256
| MD5 | c25cc2154d0638dcfb9196cdbad6488a |
| SHA1 | b85b53141e99a7573c4b4226b129959727b86ebe |
| SHA256 | 0fae37c9933ef1f05283ad41bad93e56f54786248bc00ab271e3bc7032b4bcfc |
| SHA512 | 3664639ce3646df3c46842be34545de87a6f8ae8d1304a72d85fd719974321cb375458ec0d9a9bcf060700403067bcc4f7b48495bab416b920a496399a5c12e6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | e3d77fe9c961841ae8c7c3ed37d6b1e6 |
| SHA1 | 44f16e0827eb01c293bcc1fe1e5f19bd9ecc3058 |
| SHA256 | df4d0c62c8152b380b58341f3236b73a45303b5b36c57f0cee26203d1f75cd21 |
| SHA512 | 147dc8bd8e3e8a75577bc1323c61314f218195c3faf8b2e9e10e7c2ebe13608df778a54e23f463013710d8b4edc1ca60325893d77be55485c6597431089515f0 |
memory/2084-139-0x0000000072CA0000-0x0000000073450000-memory.dmp
memory/3848-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2084-140-0x00000000045E0000-0x00000000045F0000-memory.dmp
memory/2084-142-0x00000000045E0000-0x00000000045F0000-memory.dmp
memory/2084-152-0x0000000005580000-0x00000000058D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4251795e1752134065dccf1c1029241f |
| SHA1 | 025d125fd2927c746c3f72497957c7de7c7aa2c1 |
| SHA256 | cbdf5ced4620e16e5ff8b5d927bf58a45c1c6b7b8bf1254791b2503223798da0 |
| SHA512 | d7befa0fe6c5429ac46ec168e732b60de3d1b3ef30a878fc1e5fa9665c208f8614b8199f93f97dbb7147243df88d54dd73f87a1ad93cb6b113358a4355e4822b |
memory/3760-155-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-164-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-166-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-168-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-165-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-163-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-161-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2084-169-0x0000000072CA0000-0x0000000073450000-memory.dmp
memory/5020-170-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-171-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3848-172-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-173-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-174-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-176-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-178-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-179-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3848-180-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-181-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-182-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3848-183-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3848-185-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-184-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-186-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3848-187-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-188-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/3848-189-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5020-190-0x0000000000A70000-0x0000000000AF2000-memory.dmp
memory/5020-191-0x0000000000A70000-0x0000000000AF2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 00:34
Reported
2024-04-11 00:46
Platform
win7-20231129-en
Max time kernel
360s
Max time network
365s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1099Misc.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ae8d827f8fe5081d95533baa7a68ca5e |
| SHA1 | 1b8ab096c26eff31f2a72204e03e164b609fa979 |
| SHA256 | 33ae40aa9d0c699cd775d5c0d22049e7c8ad78fe65845663a6e3145d8476943a |
| SHA512 | 56b68cb2c44c807064caf6b028624fafd3c6bb1185c84468940b91523691f05373e1f46d8ddff73cd98bbf3f64c9651b9fedbf716b55064732d3741e710294a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 00:34
Reported
2024-04-11 00:46
Platform
win10v2004-20240226-en
Max time kernel
591s
Max time network
574s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1099Misc.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4D4BE001D2DDBCFF51FCBDA0B1AEF20C --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9E0E9EAAE4413A9C691F5A71304B8B50 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9E0E9EAAE4413A9C691F5A71304B8B50 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F168A80BE7875C8E51370F805422541 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3C54EE156224F740AB60C8E9200393F --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A38749AC1C5D7B07CB2497FF6A3669D3 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A19282E0B057A573B904934E6F1B2D0F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A19282E0B057A573B904934E6F1B2D0F --renderer-client-id=7 --mojo-platform-channel-handle=2404 --allow-no-sandbox-job /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.172.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | ff1fb05a07408017338f209ceb1ebe45 |
| SHA1 | ff473d30b61e2b769a055ff81be8017d9c4a0f5d |
| SHA256 | e15eb7fefc3daa6a61009879ed31beb6383f8593667fe0dd5508227adec89bba |
| SHA512 | 4be222cc3063c75c61a01016505c36a126c063d5c259ad32b73b8dcf758c8efb529f30abd7c1fc85dffc36613fbd27a3d71658d3537bcf9750acf594596861a8 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-11 00:34
Reported
2024-04-11 00:47
Platform
win7-20240319-en
Max time kernel
601s
Max time network
604s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2056 set thread context of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"
C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
Files
memory/2056-0-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/2056-1-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/2056-2-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/2712-3-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-5-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2712-7-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2056-9-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/2712-10-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-11-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-12-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-13-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-14-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-15-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-16-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-17-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-18-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-19-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-20-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-21-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-22-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-23-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-24-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-25-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-26-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-27-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-28-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-29-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-30-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-31-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-32-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-33-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-34-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-35-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-36-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-37-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-38-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-39-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-40-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-41-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-42-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-43-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-44-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-45-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-46-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-47-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-48-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-49-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-50-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-51-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-52-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-53-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-54-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-55-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-56-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-57-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-58-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-59-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-60-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-61-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-62-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-63-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-64-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2712-65-0x00000000001C0000-0x0000000000242000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-11 00:34
Reported
2024-04-11 00:48
Platform
win10v2004-20240226-en
Max time kernel
602s
Max time network
615s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4168 set thread context of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4168 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
| PID 4168 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
| PID 4168 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
| PID 4168 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
| PID 4168 wrote to memory of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe | C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"
C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe
"C:\Users\Admin\AppData\Local\Temp\Wrights 2023 1040 W2s TaxDocumentPDF.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 8.8.8.8:53 | clepdhunt.duckdns.org | udp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
| US | 52.161.137.125:4047 | clepdhunt.duckdns.org | tcp |
Files
memory/4168-1-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/4168-2-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/4336-3-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-4-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-5-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-6-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-8-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4168-7-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/4168-9-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/4336-10-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-11-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-12-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-13-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-14-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-15-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-16-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-17-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-18-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-19-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-20-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-21-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-22-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-23-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-24-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-25-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-26-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-27-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-28-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-29-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-30-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-31-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-32-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-33-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-34-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-35-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-36-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-37-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-38-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-39-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-40-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-41-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-42-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-43-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-44-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-45-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-46-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-47-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-48-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-49-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-50-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-51-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-52-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-53-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-54-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-55-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-56-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-57-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-58-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-59-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-60-0x0000000000410000-0x0000000000492000-memory.dmp
memory/4336-61-0x0000000000410000-0x0000000000492000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-11 00:34
Reported
2024-04-11 00:46
Platform
win7-20231129-en
Max time kernel
359s
Max time network
363s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2332 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\g2m.dll
Network
Files
memory/2332-0-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/2332-1-0x0000000010000000-0x0000000012DB3000-memory.dmp
memory/2332-2-0x0000000010000000-0x0000000012DB3000-memory.dmp