Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-h3zpmsfd8t
Target 858ff0e6cd73fb2fc697e98f99ad5f9bd4de08a2a66f9a8b96267e169ecfc381
SHA256 858ff0e6cd73fb2fc697e98f99ad5f9bd4de08a2a66f9a8b96267e169ecfc381
Tags
upx discovery aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

858ff0e6cd73fb2fc697e98f99ad5f9bd4de08a2a66f9a8b96267e169ecfc381

Threat Level: Known bad

The file 858ff0e6cd73fb2fc697e98f99ad5f9bd4de08a2a66f9a8b96267e169ecfc381 was found to be: Known bad.

Malicious Activity Summary

upx discovery aspackv2

Nirsoft

Nirsoft

Blocklisted process makes network request

Modifies file permissions

UPX packed file

ASPack v2.12-2.42

ACProtect 1.3x - 1.4x DLL software

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 07:16

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240508-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe

"C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe"

Network

N/A

Files

memory/1688-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1688-1-0x0000000000400000-0x000000000049C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

130s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\FoldersReport\report.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 3292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 3292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\FoldersReport\report.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_4732_EOQOMAAVLIVKVJIR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ca27a6bd86c3e5fab3db85e8ef106481
SHA1 a289c4f6d1da424c16ed94c7635d777472361887
SHA256 d939760cb2b691d3d16858fb4942b4431f508eaf8b92ccf9b86648931ca4c2d2
SHA512 81af9fd6fb1a35c1c274ca26258ff9bc96591d9310da52586dba8225553a25404cf75a251223821505ae6e2219ec8cf9ec20407a44415bcfc3b7ddb8c878a4f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4ac19cad95465f4c243c9bf6502174e8
SHA1 03845b457ef1830d1725dee0d9a3e3ab2a15ac28
SHA256 9c323c819b9b7b7960c054cd430cbb2713f237e62aa54fd6105cbb3d1452fdcf
SHA512 a62f1db569fd97c5ddad1f340164c7fe74d783a56bf610b524392f95eaecf482659033203d44348cc84b0a098c5e4275d1af7be13b57f718465e80a24ebdba55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40da1f72812d4073997c7f6986dd2f87
SHA1 09b10351b09e2b74b69ebcfdf58464d08f74af78
SHA256 61dabea014ab8ef0768067fd55cdd11150e69b6a470ba794348056483f63d23a
SHA512 b3ca06b21d93cf58b3be0edaf95e5d717e3c94826909f342eeb3f309f9c1efbb26162103fc586e74454be8617473a1df8c014974281b5fbbb466b47c30e2fc92

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240508-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe

"C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe"

Network

N/A

Files

memory/1976-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1976-3-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1

Network

N/A

Files

memory/1792-0-0x00000000001E0000-0x00000000001EB000-memory.dmp

memory/1792-3-0x00000000001F0000-0x00000000001FB000-memory.dmp

memory/1792-2-0x00000000001E0000-0x00000000001EB000-memory.dmp

memory/1792-1-0x00000000001E0000-0x00000000001EB000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2764-1-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe

"C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"

Network

N/A

Files

memory/2308-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2308-2-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1704-5-0x00000000026E0000-0x0000000002950000-memory.dmp

memory/1704-13-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1704-16-0x00000000026E0000-0x0000000002950000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /pt \"%1\" \"%2\" \"%3\" \"%4\"" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.shu C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ = "ShackUp.Document" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\ = "ShackUp Document" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe,1" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /p \"%1\"" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew\NullFile C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe

"C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/4992-0-0x0000000000400000-0x0000000000476000-memory.dmp

memory/4992-1-0x0000000000400000-0x0000000000476000-memory.dmp

memory/4992-5-0x0000000000400000-0x0000000000476000-memory.dmp

memory/4992-6-0x0000000000400000-0x0000000000476000-memory.dmp

memory/4992-12-0x0000000000400000-0x0000000000476000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win7-20240508-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe

"C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe"

Network

N/A

Files

memory/1732-0-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/1732-1-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AntMem v13- Try to Free 64mb\64.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AntMem v13- Try to Free 64mb\64.vbs"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe

"C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2620-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2620-1-0x0000000000400000-0x000000000049C000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win7-20240221-en

Max time kernel

142s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe

"C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {d21a32e7-afb2-4ab0-93f0-467d4365cc4c};C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe;2772

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 movie.metaservices.microsoft.com udp
US 65.55.186.115:80 movie.metaservices.microsoft.com tcp

Files

memory/2772-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2864-2-0x0000000000A00000-0x0000000000A10000-memory.dmp

memory/2772-4-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2864-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

memory/2772-8-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-9-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-10-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-11-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-12-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-13-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-14-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-16-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-17-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-18-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-19-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe

"C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.90:443 www.bing.com tcp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/3800-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3800-1-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe

"C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/756-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/756-1-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe

"C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\System32\Upfc.exe

C:\Windows\System32\Upfc.exe /launchtype periodic /cv KwNQdXLaVU6WzTcdlpLw4w.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 232.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp

Files

memory/2668-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2668-2-0x0000000000400000-0x0000000000419000-memory.dmp

memory/5044-5-0x0000022E3CA30000-0x0000022E3CCA0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 dcc3466cb05788d5b662a285577a0494
SHA1 41fdc376346f8d912746bf96826aedb0451d5837
SHA256 6f21319c1e8c9d613244a5c7978e19e9367405a768c016e4a24f332c36572a9f
SHA512 1fb12e79c90d6b02a13e49f8c0c51c7db42446c50073c5185278a94e51a11cfa27fe822de1aa80a51b166f39077bd4a8cf7e00cabf31dd69f77f62888a4e12b5

memory/5044-20-0x0000022E3B1E0000-0x0000022E3B1E1000-memory.dmp

memory/5044-22-0x0000022E3CCA0000-0x0000022E3CCB0000-memory.dmp

memory/5044-26-0x0000022E3CCC0000-0x0000022E3CCD0000-memory.dmp

memory/5044-25-0x0000022E3CCB0000-0x0000022E3CCC0000-memory.dmp

memory/5044-29-0x0000022E3CCD0000-0x0000022E3CCE0000-memory.dmp

memory/5044-34-0x0000022E3CCF0000-0x0000022E3CD00000-memory.dmp

memory/5044-32-0x0000022E3CCE0000-0x0000022E3CCF0000-memory.dmp

memory/5044-37-0x0000022E3CD10000-0x0000022E3CD20000-memory.dmp

memory/5044-36-0x0000022E3CD00000-0x0000022E3CD10000-memory.dmp

memory/5044-39-0x0000022E3CD20000-0x0000022E3CD30000-memory.dmp

memory/5044-42-0x0000022E3CD30000-0x0000022E3CD40000-memory.dmp

memory/5044-45-0x0000022E3CD40000-0x0000022E3CD50000-memory.dmp

memory/5044-46-0x0000022E3CA30000-0x0000022E3CCA0000-memory.dmp

memory/5044-47-0x0000022E3CD50000-0x0000022E3CD60000-memory.dmp

memory/5044-50-0x0000022E3CD60000-0x0000022E3CD70000-memory.dmp

memory/5044-49-0x0000022E3CCA0000-0x0000022E3CCB0000-memory.dmp

memory/5044-54-0x0000022E3CD70000-0x0000022E3CD80000-memory.dmp

memory/5044-53-0x0000022E3CCC0000-0x0000022E3CCD0000-memory.dmp

memory/5044-52-0x0000022E3CCB0000-0x0000022E3CCC0000-memory.dmp

memory/5044-58-0x0000022E3CD80000-0x0000022E3CD90000-memory.dmp

memory/5044-57-0x0000022E3CCE0000-0x0000022E3CCF0000-memory.dmp

memory/5044-56-0x0000022E3CCD0000-0x0000022E3CCE0000-memory.dmp

memory/5044-60-0x0000022E3CD90000-0x0000022E3CDA0000-memory.dmp

memory/5044-63-0x0000022E3CCF0000-0x0000022E3CD00000-memory.dmp

memory/5044-64-0x0000022E3CDA0000-0x0000022E3CDB0000-memory.dmp

memory/5044-67-0x0000022E3CDB0000-0x0000022E3CDC0000-memory.dmp

memory/5044-66-0x0000022E3CD10000-0x0000022E3CD20000-memory.dmp

memory/5044-65-0x0000022E3CD00000-0x0000022E3CD10000-memory.dmp

memory/5044-70-0x0000022E3CDC0000-0x0000022E3CDD0000-memory.dmp

memory/5044-69-0x0000022E3CD20000-0x0000022E3CD30000-memory.dmp

memory/5044-76-0x0000022E3CDE0000-0x0000022E3CDF0000-memory.dmp

memory/5044-75-0x0000022E3CDD0000-0x0000022E3CDE0000-memory.dmp

memory/5044-74-0x0000022E3CD30000-0x0000022E3CD40000-memory.dmp

memory/5044-78-0x0000022E3CD40000-0x0000022E3CD50000-memory.dmp

memory/5044-79-0x0000022E3CDF0000-0x0000022E3CE00000-memory.dmp

memory/5044-84-0x0000022E3CE00000-0x0000022E3CE10000-memory.dmp

memory/5044-83-0x0000022E3CD50000-0x0000022E3CD60000-memory.dmp

memory/5044-87-0x0000022E3CD60000-0x0000022E3CD70000-memory.dmp

memory/5044-88-0x0000022E3CE10000-0x0000022E3CE20000-memory.dmp

memory/5044-90-0x0000022E3CD70000-0x0000022E3CD80000-memory.dmp

memory/5044-91-0x0000022E3CE20000-0x0000022E3CE30000-memory.dmp

memory/5044-92-0x0000022E3CD80000-0x0000022E3CD90000-memory.dmp

memory/5044-93-0x0000022E3CE30000-0x0000022E3CE40000-memory.dmp

memory/5044-96-0x0000022E3CD90000-0x0000022E3CDA0000-memory.dmp

memory/5044-97-0x0000022E3CE40000-0x0000022E3CE50000-memory.dmp

memory/5044-100-0x0000022E3CE50000-0x0000022E3CE60000-memory.dmp

memory/5044-99-0x0000022E3CDA0000-0x0000022E3CDB0000-memory.dmp

memory/5044-102-0x0000022E3CDB0000-0x0000022E3CDC0000-memory.dmp

memory/5044-103-0x0000022E3CE60000-0x0000022E3CE70000-memory.dmp

memory/5044-106-0x0000022E3CE70000-0x0000022E3CE80000-memory.dmp

memory/5044-105-0x0000022E3CDC0000-0x0000022E3CDD0000-memory.dmp

memory/5044-109-0x0000022E3CDD0000-0x0000022E3CDE0000-memory.dmp

memory/5044-111-0x0000022E3CE80000-0x0000022E3CE90000-memory.dmp

memory/5044-110-0x0000022E3CDE0000-0x0000022E3CDF0000-memory.dmp

memory/5044-113-0x0000022E3CDF0000-0x0000022E3CE00000-memory.dmp

memory/5044-114-0x0000022E3CE90000-0x0000022E3CEA0000-memory.dmp

memory/5044-115-0x0000022E3CE00000-0x0000022E3CE10000-memory.dmp

memory/5044-116-0x0000022E3CEA0000-0x0000022E3CEB0000-memory.dmp

memory/5044-126-0x0000022E3CE20000-0x0000022E3CE30000-memory.dmp

memory/5044-129-0x0000022E3CEE0000-0x0000022E3CEF0000-memory.dmp

memory/5044-128-0x0000022E3CE30000-0x0000022E3CE40000-memory.dmp

memory/5044-125-0x0000022E3CEC0000-0x0000022E3CED0000-memory.dmp

memory/5044-124-0x0000022E3CED0000-0x0000022E3CEE0000-memory.dmp

memory/5044-123-0x0000022E3CEB0000-0x0000022E3CEC0000-memory.dmp

memory/5044-122-0x0000022E3CE10000-0x0000022E3CE20000-memory.dmp

memory/5044-131-0x0000022E3CEF0000-0x0000022E3CF00000-memory.dmp

memory/5044-130-0x0000022E3CE40000-0x0000022E3CE50000-memory.dmp

memory/5044-134-0x0000022E3CE50000-0x0000022E3CE60000-memory.dmp

memory/5044-135-0x0000022E3CE60000-0x0000022E3CE70000-memory.dmp

memory/5044-136-0x0000022E3CE70000-0x0000022E3CE80000-memory.dmp

memory/5044-137-0x0000022E3CE80000-0x0000022E3CE90000-memory.dmp

memory/5044-138-0x0000022E3CE90000-0x0000022E3CEA0000-memory.dmp

memory/5044-139-0x0000022E3CEA0000-0x0000022E3CEB0000-memory.dmp

memory/5044-140-0x0000022E3CEB0000-0x0000022E3CEC0000-memory.dmp

memory/5044-141-0x0000022E3CEC0000-0x0000022E3CED0000-memory.dmp

memory/5044-143-0x0000022E3CEF0000-0x0000022E3CF00000-memory.dmp

memory/5044-145-0x0000022E3CF00000-0x0000022E3CF10000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe

"C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 232.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1532-0-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1532-1-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win7-20240220-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx\ = "mfxfile" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\ = "MicroFTP 2000 Account Export File" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mfxfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mfx\ = "mfxfile" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mfx C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mfx C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile\ = "MicroFTP 2000 Account Export File" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mfxfile C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe

"C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe"

Network

N/A

Files

memory/2176-0-0x0000000000400000-0x00000000007DD000-memory.dmp

memory/2176-3-0x00000000009B0000-0x00000000009C0000-memory.dmp

memory/2176-6-0x0000000000400000-0x00000000007DD000-memory.dmp

memory/2176-8-0x00000000009B0000-0x00000000009C0000-memory.dmp

memory/2176-10-0x00000000009B0000-0x00000000009C0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.mfx\ = "mfxfile" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\ = "MicroFTP 2000 Account Export File" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mfxfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx\ = "mfxfile" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mfx C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.mfx C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mfxfile C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile\ = "MicroFTP 2000 Account Export File" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe

"C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/2176-0-0x0000000000400000-0x00000000007DD000-memory.dmp

memory/2176-5-0x0000000000400000-0x00000000007DD000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20231129-en

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe

"C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {0ec4a233-e49b-47dc-9883-c26cebaffaaf};C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe;2372

Network

Country Destination Domain Proto
US 8.8.8.8:53 movie.metaservices.microsoft.com udp
US 65.55.186.115:80 movie.metaservices.microsoft.com tcp

Files

memory/2372-0-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2316-2-0x0000000000440000-0x0000000000450000-memory.dmp

memory/2372-4-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2316-6-0x0000000000440000-0x0000000000450000-memory.dmp

memory/2372-7-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2372-11-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2372-13-0x0000000000300000-0x0000000000301000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe

"C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 232.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/956-0-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/956-1-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240419-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe

"C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe"

Network

N/A

Files

memory/2288-0-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-2-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-5-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-7-0x00000000008F0000-0x0000000000925000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\config.txt

MD5 8a33050b4e6b0bc73ff4caceaddb86ed
SHA1 fc429301cca2a147b6b427fd2fdc722578cd4343
SHA256 591fd1b180c014686e9085b792a34d6c5cab4124882492b38cd3dfab9692fca4
SHA512 77eff53a212260f3808523682143236a96c7e40a5635af42dd738caee412bfc4c8068b4ca397cd9dfba1cd1dbea95cfc29386e1f96c2b9862ab5ae1dfe134eb3

memory/2288-10-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-13-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-15-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-18-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-20-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-23-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-25-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-28-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-31-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-33-0x00000000008F0000-0x0000000000925000-memory.dmp

memory/2288-36-0x00000000008F0000-0x0000000000925000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win7-20240508-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe"

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe

"C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe"

Network

N/A

Files

memory/1708-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1708-1-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe"

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe

"C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1612-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1612-1-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20231129-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\FoldersReport\report.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000508cf439700bc441852fc6e676e4f9f10000000002000000000010660000000100002000000091b60edd331fd21983d072e7b059728e3b0c342f747b2f11b7cea9180aac53fc000000000e8000000002000020000000953eae4c3f318677dead10173366748e15f5ffe6e3e2d680fec267698f90951420000000bab065b44733c5f0a4ed1d49259ba0851f15344ddefc667387e2c50ad33ca7f7400000003e44eaef24c412a6e0be7639ed994fb8be2a19c734691664cf865128c9f5684858258ee64bb8c2bf5ff0e42f19e338c192d13b133d532aec327be6608a4b7f03 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0CF2F6A1-0DD4-11EF-8221-D669B05BD432} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ac8ce1e0a1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421400854" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000508cf439700bc441852fc6e676e4f9f100000000020000000000106600000001000020000000eba698237af57568eb642d1151e9bd6ee8107a3e3826647cdb36b9d04b0be43e000000000e8000000002000020000000bea596ab136f59c46328a593fee966af4bde5f608af5337b150ee450dca7bb5490000000a85dde4973babc91c38008e038b7927ce179ba60c46e6096d1dc4281bf381025e4ee52e0934b84df9a859074f6fe26539cdd37d077c9ff978b2f209bc2a14b8cdd5c658eaba9e6968e8cdd13397ecc5d330885411f5624d7af7b43f199fc401a78e3ba8edcd9c390a1603c6d8590273ae82ca9e6a3f57222798999f906e25b37f45ee5d224d21b8cbfae882d0b94a62c400000006c3f4e4c561f8846caa67f5927c206ff2b000792329829d120f34bb774c6dfc9a71f9d20e7e221b47cbc0858c0c277b3f3a20386917b6099bbabf857ec81fbc8 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\FoldersReport\report.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.56:80 www.bing.com tcp
NL 23.62.61.56:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab324A.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3394.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3ffbd2d03ab804b8ff8ebb2b7cb8b75
SHA1 b71bb8ba1c6c04b833dc2757e959fe4db5980220
SHA256 57df64cf1523981a737cf577ad63f90eb1a54ef9389d2dd76ef6c75f37920100
SHA512 fcb1d263da29bda8ebb9d324a270000fcee69426b1a9105303c9ea7a70e8b8fafdf902846b7341742eaa160d44a0104892eafdf9788e1ef77ef7f92ddf1ac219

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c772c06463c093f32bc29ae3c78050b2
SHA1 26feed8ca31f5fbcf454120aa43fc76906cb1f55
SHA256 a9b9aed4f4eeb646cbb84372a0291e44a611b382f0f6d98484578ceaea5bd25d
SHA512 0b9554a9862d694ff2aad9c0ae4fc24769c83263023ffcca2a61afd26e46743ff175c61edc838811900ce8fabafb0cbe2d830600c9436df9cbb7cc1f942257cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 9cbb34ab618217a3a718a23468febfcc
SHA1 df52b12f2949d05cfeb92e2034c078ad3f6b8a06
SHA256 ed4e17bcd460ea09bc041effc8ee7f5c8e9a49b2224adc50743bdfb63a4d1ec7
SHA512 0cbc501d0d0a583a645550de74355001980bef6cb8ace3aee42408af7609f2320b6fe61756a8bc84ae3312064415c9c49ec20fb13b46bb9475050057316cbc07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 875ed4648db48dd8d8d8a6f88f95d1ed
SHA1 2310cf3f5caf65203829a6128f5fdb087b1794e7
SHA256 8fb164bc389a0aaa1926fd438e53df26040b2530cc9c2393797d1558a4fe2559
SHA512 bb6cda0eb0c881e3b3c9cd6dba257f14829e191901c466dadbc9f93a8e5b5d6472a8c28a24623ed61867997130ddc17ccdeb28df881e013877649ac5d0970e5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad3bd67a308a3d2d6ff023680c1fdd9b
SHA1 9c23371fc7c1519d626465c53f94db9253fd27bd
SHA256 c9b5634e0b29a6b2ffee89e0d9a9ec43a81d61ee5563f60cd0fc40c55ef77aaf
SHA512 b60b5c80c29313ff936bad3f98b2fa81145c04409118454f2c72e56275a29ec5f7a9e1674da9a4bed4ce489ab7fd4257ce4ae4b63538ec2b23835edb5d326927

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c684b92482991fa4176e471aa5dac884
SHA1 8dc34fa74d65974497c602c438c5f37f81804f0d
SHA256 e7d39e0cc80ae9a7cd4faf4803ecbef768624bdffdeddebae69417c0099c4677
SHA512 5de1c1d5d289283d4681250ebe265973ded68e7b74b2b03d7d527d180c31e391a377ba9cd74eb47679f2318cf97761f42acc2caf1f71761128838aad822bbbea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 8863015c4cbc67ffb361dc66b39473f4
SHA1 256d262645c09f0c02126bc94da08d66d0fd759f
SHA256 6584e8f1e359faeb2a33f045c47a921dea7e01f7c10b83af611b50ae2d55a34e
SHA512 d800a853008638398b55128f4d9b33fb955362e14b182c2f75b8c7970a6bd7a0e1c0847d9f6b79fd1a15486e4ab4270322aa0934a9b24a83aa505df6b88e1de9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc069ea6344641285568a4087b39328f
SHA1 8f0069d526bf125bf4953aea73503d97f773ddc3
SHA256 9c64d07e1e8c01ba418cdb406d42137792d2e5ac98f03a253418670a9525e654
SHA512 49b705e4bb07e3639cae88d217972f755a9a10849b6a91b9618ade0a4acd04cffd2df030161e4d73ec26e02afbda366cde3f8ba39e54a6697f7e43454464f3bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e3bcf3c5ad61479d6f892335e551ba0
SHA1 09b4408aadcd842063e944e17e22d4e8dbf2fa49
SHA256 cd387c5d307133704df78091f15a23746ec38612b69f82a76f5b17f69c553f91
SHA512 20b1e34abcd4d17e642d89d764a1db6375d2bff76527e0ad7d1ee65c19ad0cd2581b2b0237a6a44d54be607e60df77c34f9963aac9e3292edb7c078745776835

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c7918235a632223fcb3098005dff157
SHA1 827f2d0b1f80bfd5c4ef8532269b1937171f419b
SHA256 cd68b427ccffd75a0a4854091568224f72f2f1039ea2d5d3a6c28f8c76443cd5
SHA512 491de946a00ce2af9dae9699c9b1beb5dbbd40ad4759a5cefd50b48b169c768fd896d3d9b26c492ca75b5a1f7855b6b6b9bc1a08d59a9c3fd258129f9e2ab554

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ee26f13007e65a691b4e056a544c834
SHA1 4c0f9bb0501f86ffe42d66addf581cc151514008
SHA256 d1928837941daac3b1cac6de8d4d26ef85a5acb17eff2745a1b100478b65d49f
SHA512 ae1d8ecb898158db28195ee28db14d7fb8e1b17f09ff9fea556689cc0059fe6051747edd9747b23e409a232dd598b607a78fafa62ee2ebdd475e8ae9bddd5668

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1374a2f775cabaa31f99f62eb80d7a6
SHA1 b16c3ae90dc35e30d1d9e08dbc50960d98af61d1
SHA256 6edf177643434ef3bdbddf10cdf095da189224917b919ae2a63e15ccf0292d31
SHA512 3a86bee0b7581db9f094a24ab9428168f5e8a89b53bcb01a65340be85d5b6c0080f166a56115285a875a908c168d53cba5475e22cafa2a482bdcbb95ac275d8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bdbeca05f94f48944d80134005ecd8c
SHA1 2e6d41566e729fe1686a5c79b4d8eec7d2ed9360
SHA256 b008aad47fd7b15fad2a872502dcfbad74964be8e5a0772925c5043cbadb789e
SHA512 ca6bcda8b02046c7bb2e43148dc2a182f077f973738a4d136f19aedc5d4aadfdb041bba4dc7a9e6225364f6e426049cf9fc7d063ade7bfb75caa307585767346

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 306b0ee8df5daf196eda1dc5e86e5be3
SHA1 8b0efcfadbfa20863b213a11fd7af34c6850d9cd
SHA256 9d7f00dacc6639ce5c40469d0bad21832385a0d8925c635762b13d60004685cd
SHA512 e1028b6b81d0cfcd1bb794ded87f75b84ab82bea5e6e426c4619cb00a31e9e75c89293736878e5de04906c182d00c22e893c94e6cd6518d9531a77c03a953405

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f48dfae50b2d1470460645b14bb504b7
SHA1 935159ce0e5ae355454bc79df185aa5e75d3b2b1
SHA256 f86437eeb776d44e42979e44cb89b316b4c21fe26a36440f026e36d7b4188dee
SHA512 23460a7f3005caad79a62b10d06185e86b8909432946f2eb299c66a5af82d3a5882e314931ca0f1464de001bf3ea39cb5a33be58b5280c80e31380e8d0c69dc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fec617d062ca42835969ff6352dc16a
SHA1 7270f4d320692dcdcaeabecb08de9c76a8be5deb
SHA256 014a6922cbdfdf5855582c20bac9af98b56419e506eaa205dace7708b9c09563
SHA512 d5f66a3d5932fc77bca16e41eb9a1cc927bae6e0213d7afc0bb734687b57db65382944814c7524a27ed0aa3299d35828820f0d0ba81b82bfdeb3d4b2e144cfae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa22ebf0471828c012fe6c13b2147d03
SHA1 e957fa2631b8b243caa3bd966969d97d40ba4ce8
SHA256 711861e55390a806f5703ce33d9ab8263d41a7ca738c43d2027baeb57f97012f
SHA512 88002a6168589724ae71fe2f7febd0745393837ed4c276e5f3391182bbcd699c66817e0adc01573358c87ae4da1ce6b04488543d6e65c023ff92f684cff9a5cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6db072c46af4bfaf7c98e3a9cfacf2f
SHA1 f88e7f073ec8b5e8781913c2d6839cf2522df9a1
SHA256 cfdd15994d45bdab93896b49593058f7d66359bb5a3bafacc76445ca920a64a2
SHA512 13c361d2f5f45d5801972d9d59125f6d6635489c27c59075cd7941c7e56aa87daa2344ed7522efe17659fddba725f1b2adfae3f79b38c0d954d7dd2f8ae1853c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15efd4124a44c379db940a75c0c16f99
SHA1 b0314ef50e4dbe209ae159fde20e7b8a7bc806e6
SHA256 3c01fb5ac4a39c06b9e0dc435284a194f13ad02e147dd430e20929d4f5d72a6b
SHA512 35a7282739ee9593e571d6e6a1184bb0993596a553795d9b4794469d65bfbc7048e74ef110e3f20a97a909de3a9b08a3b573b451e3e809c8aab7bae037375aed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e04b0add276ff3b0c38e0357c7ceac5f
SHA1 3d9f80fcde99b7313568494f9d841567701eaf20
SHA256 b552cd86b724c8ae8a8ba311e2321b069e8d5a8e01c89c4cf319371ba9fb8360
SHA512 25ab815711ec8525a3672256544b867c549a2c0c743ea7b9d930f5294fdcfd38a9d3b2eba265dae0b9fa714d3e0bb95e7965e44d4e0552a62e76c974b20b0de3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bccba0189cdce4b0dade4bb3241dbf4
SHA1 79ea6145ec83ee8f31aac70c6fa5bea0060af11b
SHA256 78bef118a62c4d25986ebbad88bd14ca6be2db41649791dda13b1e6ac8f013c3
SHA512 3132c0c18cd0a313b98621e859451ccd53429a90b078307697c1ca70a62b9368cc320bc93d8b59ade22ab4e64add17ca33bdfdf8afe5784dfec3e6a039468f01

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew\NullFile C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /pt \"%1\" \"%2\" \"%3\" \"%4\"" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /p \"%1\"" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\ = "ShackUp Document" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ = "ShackUp.Document" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe,1" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.shu C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe

"C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe"

Network

N/A

Files

memory/2868-0-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2868-1-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2868-6-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2868-12-0x0000000000400000-0x0000000000476000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe

"C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

memory/2216-0-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-2-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-5-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-7-0x0000000000560000-0x0000000000595000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\config.txt

MD5 8a33050b4e6b0bc73ff4caceaddb86ed
SHA1 fc429301cca2a147b6b427fd2fdc722578cd4343
SHA256 591fd1b180c014686e9085b792a34d6c5cab4124882492b38cd3dfab9692fca4
SHA512 77eff53a212260f3808523682143236a96c7e40a5635af42dd738caee412bfc4c8068b4ca397cd9dfba1cd1dbea95cfc29386e1f96c2b9862ab5ae1dfe134eb3

memory/2216-10-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-13-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-15-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-18-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-21-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-23-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-26-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-28-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-31-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-34-0x0000000000560000-0x0000000000595000-memory.dmp

memory/2216-36-0x0000000000560000-0x0000000000595000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe C:\Windows\splwow64.exe
PID 1512 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe

"C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/1512-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-1-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-2-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-3-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-4-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-5-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-6-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-7-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-8-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-9-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-10-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-11-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-12-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-13-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1512-14-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe

"C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2344-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2344-3-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240221-en

Max time kernel

140s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe

"C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe"

Network

N/A

Files

memory/1952-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1952-1-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240215-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe

"C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe"

Network

N/A

Files

memory/2228-0-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2228-1-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win7-20240508-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe

"C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe"

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2232-1-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:19

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

103s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AntMem v13- Try to Free 64mb\64.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AntMem v13- Try to Free 64mb\64.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 07:16

Reported

2024-05-09 07:18

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe

"C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4968-0-0x0000000000400000-0x000000000052A000-memory.dmp

memory/4968-1-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/4968-5-0x0000000000400000-0x000000000052A000-memory.dmp

memory/4968-7-0x00000000029E0000-0x00000000029E1000-memory.dmp