Analysis Overview
SHA256
937a96ba7f8a4b5850f795710aa1f84e2be3483cd42f34e4b7f3cdc10483f64c
Threat Level: Likely benign
The file Agreement 25168.eml.zip was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
One or more HTTP URLs in qr code identified
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-18 16:22
Signatures
One or more HTTP URLs in qr code identified
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win10v2004-20240412-en
Max time kernel
125s
Max time network
166s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Agreement 25168.eml.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh007.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\SysWOW64\PerfStringBackup.TMP | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\PerfStringBackup.INI | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\Outlook\outlperf.h | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\inf\Outlook\outlperf.h | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\inf\Outlook\0009\outlperf.ini | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Processes
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\Agreement 25168.eml"
Network
Files
memory/2752-1-0x00000000737AD000-0x00000000737B8000-memory.dmp
memory/2752-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2752-124-0x00000000737AD000-0x00000000737B8000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Agreement 25168.eml:OECustomProperty | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Agreement 25168.eml"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win10v2004-20240412-en
Max time kernel
145s
Max time network
138s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9142646f8,0x7ff914264708,0x7ff914264718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13368237866272408875,14561198313173042526,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3008 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ci3.googleusercontent.com | udp |
| GB | 172.217.169.1:443 | ci3.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 1.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.183.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.77.24.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cb138796dbfb37877fcae3430bb1e2a7 |
| SHA1 | 82bb82178c07530e42eca6caf3178d66527558bc |
| SHA256 | 50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd |
| SHA512 | 287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a9519bc058003dbea34765176083739e |
| SHA1 | ef49b8790219eaddbdacb7fc97d3d05433b8575c |
| SHA256 | e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b |
| SHA512 | a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53 |
\??\pipe\LOCAL\crashpad_4184_LNRAMSXDXPKKDVPX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a11eecf500e06cb20a1c8754f360488a |
| SHA1 | 5ed362a9fa9f5c8c3bff815fc8fe11570da7e1d2 |
| SHA256 | a6b59e06c9c532e08fe0bf28ff2516d67180dc6c3164076bf45e40ab16f34541 |
| SHA512 | f582740d9178e7ac3a8d6be740a5b19450da65ee9277ccc6982e515554d292e5f74fa98ef1a9e3bc8f6ba58e934fdeb75ba955b062dafe247fa5903e7d7d8b3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c17133970b119e25b0f364449bc4cb28 |
| SHA1 | b5820f2d53c1d7c87e5d0c1d4c0cc30d68dca164 |
| SHA256 | 9b8c6d6ad060ba6636a7ac9265d533978889920e6b4261f2d6e3c6750ee5b8d6 |
| SHA512 | 66b304814315405d0bc16625252f84a70d197a019935e299d5e94212a4444f2ee3e42191fe08379f717944bae4766d4a5cdd94c4051e80f2ca62706c870c8ff7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 84e4300cedcbb645bcda29b3f41b4576 |
| SHA1 | 0a1eeccb687b44a4ab9d5df8a271f543a79d582f |
| SHA256 | e27f7dd707c732883ecc1ff8f2135cfefb81bd961095dfe54938730bd23deb5a |
| SHA512 | 112eceb00f9e1f3ae21b275b683154a7decf42d8fcb0a93c78589002eaffb8ebbf56786b8b5e39ae21c42aaaa3677b548d6d82f2b0848620354bc39acabb5adc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | eeff03b525115bd270b8ffbd2c85ee73 |
| SHA1 | 6bc3bc9fb3463132dabb251aa8e174850fde0231 |
| SHA256 | 1f55dfe8fc8bfe7e904737f3e36fd3b0712409049cd4f474cdfa6e7948359cac |
| SHA512 | 4ba25bf759e85c42c52cd708f0cff783167485f0ae592e2d7d2e8e6a684d829fbfe9899ee36a2bac424aedf935f68120a9f00acc24aa9e334eaca359b8cf5d9d |
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win10v2004-20240412-en
Max time kernel
94s
Max time network
113s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win7-20240319-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Agreement 25168.eml.zip"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win7-20240319-en
Max time kernel
135s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a529a2e22ae42f4084bf8a2f7b0415b200000000020000000000106600000001000020000000a148a524e9e77d80f40e3d99d6cee477e082282bf97b2400220e26bbfda0dea6000000000e8000000002000020000000efceda2e2d782bdfa6115cab564d767798c2a220dd8fc6add879a247bdc1b35190000000471224d08e9c1a328450ee5ed44cfd78f19e5622b4ad1572fc771197c9bab8c24d6e4310ca6cd557edd7af55148e691f7aa423294fa2ad3f08e3491f1306185eb1a187e0c345a6bc93beedb5f78ad862344fdb3478ecf7d07f11ce841b27fd98c5143d9be2c7db24fcce450b9f315dfd65927c792c3e1a952885ba4ed9ae062e4781ebd7407dc29f527eda8b5d6750ad40000000c7819873cf9ccbb5b235e3c54ff8e67307e482c1cc0c6a325e08531c6f275582bcc679bab43b94c9fa9a45e3596d8ba64c30148ccdaf7349e8116acd791485b2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0165dc7ac91da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419619259" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F229F741-FD9F-11EE-A699-5AEE7C6D1260} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a529a2e22ae42f4084bf8a2f7b0415b200000000020000000000106600000001000020000000f2c11fdf09da67936cc7432fa9bc8d3b197b7c006673d9944f98fd5a3aea7ece000000000e8000000002000020000000df9ba27b254d2695c73087f9b020a505f22f5db088f36d8398bebf89d1991de220000000ce7d3ca7913cf9afc4ab4f01ceb1285e17f92a9d2b1a93f21b1d63ee2316527340000000948c6a88dd04cf7bd6568d1dc700c250417fba7abcd25f305858aa813b5a9df1a822ff45afbc97249f8443fd472971f47dd71917f5ef6962b69e118835129ca6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2528 wrote to memory of 1364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2528 wrote to memory of 1364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2528 wrote to memory of 1364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2528 wrote to memory of 1364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-2.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ci3.googleusercontent.com | udp |
| GB | 172.217.169.1:443 | ci3.googleusercontent.com | tcp |
| GB | 172.217.169.1:443 | ci3.googleusercontent.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5523.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ed2c0d1f1fc73b63f54af407d0f4bf1 |
| SHA1 | d17e96ac566948e2191104cca3a54f4b1ae692c9 |
| SHA256 | cc67a2dc997e26f5f2a1cf3263cb0e59a082c23c9897d7098c3ece9d162188d8 |
| SHA512 | d2c8d89d68ba03501eb9fb49b1b5c4c371e7a263828f1cbabce7945a59451034a1bd9a32eccba76ae8dc2a6a931c1014b493ffdbc5bd0a652e2fa5ace7e9fe6b |
C:\Users\Admin\AppData\Local\Temp\Tar5524.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5664.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8191a6d1eb8424662a4cbe42e77ac7a |
| SHA1 | e14c492e35c23c5596be77b2eb0774ee2b2fc59a |
| SHA256 | 561a6acf09a41cfb08adb71258960f3af54eb85db0f4ba2bb62950d2e7329ded |
| SHA512 | 66fc6ff90035dfa0c0e847a2affcd9234a3df488e2e03022fc7096810e87ddaf430d2ca073b2055efb05bb7172a64f42678ef7208947fdefe700c240a54e01c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 55b2eb940c9c596fd6a6f9ed470b5d36 |
| SHA1 | a92637a243556d7d13e4016b97ccaf784aa88c86 |
| SHA256 | 4f1c53a8d8cea04f5165311812ab5bff4a33e83c320f0f6284557dd05223a476 |
| SHA512 | c5285cf3f35b09ba0f5c21982c53594e6cf906bf42270aab5bee634b4b7fdc4d6ea98eb53b54f58a0db25a98498d32477c7cea0e8a2f6aa4890186a539a33c01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6926c6373e54d6e8222ad3f086a81714 |
| SHA1 | 367bcd2d54d55c772c9b94d60f2846938f2b9b29 |
| SHA256 | 06f44a5c7ec579b2c00962231c3324826897e045f0683690953a61b6354052e6 |
| SHA512 | 0b4fc81d2a1904731d3092b52e95507da2e52c7b204223b03bf837d16c84b555a5c46edfe14fa71858fe1d1b228e85826dbe581de4b3589be5cbade74f04262a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c03569c44365dc121725c85367f94f4 |
| SHA1 | 54de51000508ceb603be9560ee5a2b0e49d65e36 |
| SHA256 | 50aa1c0aab0241f7d84881c1af6156ae69c02a9d0115949d47151922720eb2c6 |
| SHA512 | 28485ba216c8ba7518cbaddbf7118a45f2c38527a78c578f46f1f5b57e4523cb6c282a52211e44bc9ab48e21016b8653dbed721253b8b5d9c2e8aae09fecf770 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb55ba3bf2c6458ef991902735d53190 |
| SHA1 | f34707653e746d654ded2aa18748c85368e21600 |
| SHA256 | b1f5501528b04037d2f391c2a4ac6825f1c1ebdc2df961a82948cf09f7284ff2 |
| SHA512 | 8a9601e9ad1d74c23692fb0d11c91dd7d3a005dfd4a8256725f6832b6fb0656e5acea9aac0ce0321fd437a7c42e39edd148d913367d7149d7c4b329e93b62142 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0a452bdff58634d5c32bbe4ecc8cd6c |
| SHA1 | 2e6b9011eacb0c8838b8dd63b33a139d4d073a26 |
| SHA256 | 47b9f9d6f8b791aafb516324b04ff26b4c08f486215771caea78062597ec6c84 |
| SHA512 | a31c41b5f03a62bada7e68890b82973f0873a58d3db7a7679d3364dfbca7b97bf428389fba80e2ffc3265ca61c4af2c38feaf70a1cdefa839a7c71211296aa3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2e8536b15a81fc6edebf04946ce2323 |
| SHA1 | 1e8ab5ac969a5ba5bc8a9fd2d6be06d7f00549a1 |
| SHA256 | 0cb05e22218fc4f774b67bdc111150988138563c792e5f98cbce4cfe4260974a |
| SHA512 | 899e685f490473de7ba598a3d6e056a5425db90f20963be46a14f54a1a88afe77ab5bdb8b03178d40769dd2bc996c74cf8589cd813031639a243336d9a1e3291 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba14c5f4b04b49c9c909910720b874c7 |
| SHA1 | cf1a4fd44126c79614b94dab8917ebbe48c416bd |
| SHA256 | 70a9cc75617076d0190baa1746fe5e7b1f8cf537f4251324a07e725b9738948a |
| SHA512 | 5794e8c1821afece4239f784c92100a5a079bd69de9df3effd8b70092999c924fc88f8b0ce2f87402d67eab2266bf2ea2c3509599233add0b1bea5e8f09f9f76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1dcfae5cc0cba73f2d7913cd6d81d2cb |
| SHA1 | 5ba08c839f3d10223e633661c0bb216a9e1a9605 |
| SHA256 | 0b7026bf23950baee314761600731ee5ef98ec772388deea0af62f3f5d649e5e |
| SHA512 | c51d17bd772ea2d8dc1cc2df791ac95f4e10531e9c6371451a961bebd779a61ebb89f4242f3cf15815cfe901c205d6ff10f82e225925ff4fd911a17ec2194def |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eca4662dbaf03c34bb18bae4021e6a67 |
| SHA1 | 1de5945564f3eadb78d94514558dda4f20588ba6 |
| SHA256 | 79bb84ad4d85cd85ff1c0d5ee1b17997d739f7d323408abc9f80011179010212 |
| SHA512 | 4b8c177af7226141f48450465ef95a7a7a0298f2f79df12a8e8755b996d7413ec781cb245e9702ae0fb0d5bd38c78e60e0993f319fb2667db513ebee35f7681b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 83023c467bbb950de7ea08227da8c88a |
| SHA1 | 2025d1377473f1b81d9cc39a5c3efce0aa0f3853 |
| SHA256 | 3d1f095585431f443ed0501f45f7a099493402fb9ed08871a710bf40ed5d75aa |
| SHA512 | 68e82d2a0c45f6ecd67e40ef7dbed21d08d9c8ad3fae446452f346b0642b19a2a0e9d6505009175d90433fe9994845c18091fcec674049e25b90f828d31836b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c205fac13ea89748f7685615a062183f |
| SHA1 | 1c289687bf80e8d491406792ed4b75ae1636eb0b |
| SHA256 | fc5b0351b9cb191c5bb36ceb0a2b4a151fcbab9fc37c90a781fdf3e0d047c762 |
| SHA512 | cab10814dd61edc297e5131afbd3f28bf404a74e60fc926ba48536fd917d922b573751e18394c70f563f41dffaa3fca923fdc77e60e1ea812b907b2b0bf26a52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e81291d40d60216dcaa69fa0b956580 |
| SHA1 | 415a8007672407a1d08e8354fd44269e4942b22f |
| SHA256 | b76fbb7cc2e3f181c2e1644fcd08a45310fbcb970c4964cfe5d3b8f39c4338da |
| SHA512 | 30f0df08f5497628b578aab889227bcd7e0d211bdb9a862c686c89ec2e0a272edf4f89f16df40c0c4b8160140c0129443deb4964ea5ae81c73a21c7201bac142 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c3582f2c06e954041ceb734ac28e284 |
| SHA1 | bdc5060f75b1beb4d71d1d460659060462200394 |
| SHA256 | 8c734d8cce8632ed75819cce90c6fcba0cf74a3b23607602c6ec2a48ba4770bb |
| SHA512 | 28924e6b50a270a2434c0e8f03a0a85173b532f592a618cc6c54d89945e2e3e2a5ea40d451b076476fa34567324fb8b6e2186a51ab4bcbf54b3e9a77a6cfc832 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 691960f94605be2ca6a0c2b4f5005a93 |
| SHA1 | a0aff63c457f91721f49c306a9868cc43feae232 |
| SHA256 | c759608dce37746efa0abce80f37d553f0cb5b962d9d4c68a855c54302a8de40 |
| SHA512 | a01f45e1a09c11b50c18acd464c00f8cd3f0483555d013d938a129b7d7ee642eea34e716fe8f202791ae14ae78e0b7885e9bdd5bc77cff72efa5b29375c82bb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | ff04c2098335fc1acf704b9d636be1ac |
| SHA1 | 938e1ef759caa7a6b9de596cb613fe592aa286e7 |
| SHA256 | 736098fde90627babf1fd156a92bf9a9bb1ffccecf6a8866693cc34e8cda3629 |
| SHA512 | 50eb3ef9903eababfa330977bcedc422fce33ea72da08ceb7ec5ce2066ed6e7310b3aa705191a0e5a96e3708d7f3c76f486522c41eba56919451cf269b230a2c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6178279ab3795e8c9357e503d3f277f0 |
| SHA1 | c6861c039c160dc149245cf0aa83cbd1cd33eaa7 |
| SHA256 | 59968bf4070eac765da269fc99b37ec9e33d58ee84ea2f2a035e770723f32554 |
| SHA512 | c7e5f7200ea54ef326f6a4cc5fc9efcba278e26de748f8cb1969b63d08cab1b2edf4b102e63c622f4c2c3b3b757634aadbc3fdd14f3eb96d2e7435acdf5fe409 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3775c4404b03ecf3f5472d056aabcf97 |
| SHA1 | c838ae848f49dd317ddb29834e83becddfb408f3 |
| SHA256 | c1a5fc83afcafd30f6772e93a642ff62746533e819a8a2b773d0ebd8b000f73d |
| SHA512 | 3b73dd0bb273c573058602468ae6072c25ba9c530ace6627888239fb11523508191594f6b6c774dd7bbead786ca2148a84862093caba65bf2acd43a59a92ea92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65c873a6348183328e417d7a0674102f |
| SHA1 | df1d61d325ab52f6444cd6e6a5bfbd4942d13e91 |
| SHA256 | 4f8de667c60c6f1744483462e2de1814be4feed587d211bb16308ae453b63428 |
| SHA512 | d6069751e10d77f727885d1658a358ca809590c80bb20296e707af8b8a34bd39e74c4eee3b3d56fd82369d8fe11c536bb9f081b0dd2948de8eb4bf00dd7aec7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f505cd1ea4247b86e65f8d3fc31d88e |
| SHA1 | fe658384f1b14a3200745e23a410ead26f69feb0 |
| SHA256 | 89e4c6fe190e4aa679fb05fae8ffb4356dc0de4cc89d29303433c228c22d1344 |
| SHA512 | dfa21ee0e4b75c4b6b9fb49faa839e2dcde3e397f334629586cd352e0f0d8621f3d13c5ca35ec47f6a78c72417144bbaa2551f457019fe70d7b6b6af26eacddd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 71383bfb99a86a4f31256ee82f6e95a2 |
| SHA1 | 7ff58157db4beb7381b49d87501ebe2c08d738e4 |
| SHA256 | 946f3978fcc5f2d53db4ec4b9bc2f9c87d0839628ef575fc202e5bff1b4cb67b |
| SHA512 | 02eaf8c070dcc8d2f80f6d722b428aac22a683ae69bf097b9021da98101396edc13ce1d7a8ce036721c740c3f9947e2ddd350df00e87daf9c420e8682e685ae7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bfddf462d05bc5e55beb2feb32651a7 |
| SHA1 | 97ee6557451026e7334b4b9f2a78a8ee90aebda5 |
| SHA256 | 00a1abb1c412451b9c86c31b5f0295ba0b9c39d4fdeb205de11f0c0460888fd0 |
| SHA512 | b1ff70e8ecbfd1daa080869e25c95a78fc95e4bbde8d9302794c100121a666c84cda33e9a1aec6a97bc969c3673829daafead18750ffcf94a12c3c1711254062 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 55505cb46f4f16864b1cdf4489ee4045 |
| SHA1 | 29561b7258461b2301747aa4d6b47469e0d15c76 |
| SHA256 | c7c3d8980bdfb92e5c1fb0fe589d8f83dbff0eab8428a2fa77519f6f6867842e |
| SHA512 | af5b14bed7a2e5482dd2acc136afc5483f0327c79f88a6be23393fdabfdb6760dc8f539f7263c59e617cf62eb533563d45a29ffdc9ec79b2bd73244257ffd8a5 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-18 16:22
Reported
2024-04-18 16:25
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt