Analysis Overview
SHA256
858ff0e6cd73fb2fc697e98f99ad5f9bd4de08a2a66f9a8b96267e169ecfc381
Threat Level: Known bad
The file 858ff0e6cd73fb2fc697e98f99ad5f9bd4de08a2a66f9a8b96267e169ecfc381 was found to be: Known bad.
Malicious Activity Summary
Nirsoft
Nirsoft
Blocklisted process makes network request
Modifies file permissions
UPX packed file
ASPack v2.12-2.42
ACProtect 1.3x - 1.4x DLL software
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 07:16
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240508-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe
"C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe"
Network
Files
memory/1688-0-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1688-1-0x0000000000400000-0x000000000049C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
130s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\FoldersReport\report.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b83646f8,0x7ff9b8364708,0x7ff9b8364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2368642252341916045,5671858667657018081,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_4732_EOQOMAAVLIVKVJIR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ca27a6bd86c3e5fab3db85e8ef106481 |
| SHA1 | a289c4f6d1da424c16ed94c7635d777472361887 |
| SHA256 | d939760cb2b691d3d16858fb4942b4431f508eaf8b92ccf9b86648931ca4c2d2 |
| SHA512 | 81af9fd6fb1a35c1c274ca26258ff9bc96591d9310da52586dba8225553a25404cf75a251223821505ae6e2219ec8cf9ec20407a44415bcfc3b7ddb8c878a4f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4ac19cad95465f4c243c9bf6502174e8 |
| SHA1 | 03845b457ef1830d1725dee0d9a3e3ab2a15ac28 |
| SHA256 | 9c323c819b9b7b7960c054cd430cbb2713f237e62aa54fd6105cbb3d1452fdcf |
| SHA512 | a62f1db569fd97c5ddad1f340164c7fe74d783a56bf610b524392f95eaecf482659033203d44348cc84b0a098c5e4275d1af7be13b57f718465e80a24ebdba55 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 40da1f72812d4073997c7f6986dd2f87 |
| SHA1 | 09b10351b09e2b74b69ebcfdf58464d08f74af78 |
| SHA256 | 61dabea014ab8ef0768067fd55cdd11150e69b6a470ba794348056483f63d23a |
| SHA512 | b3ca06b21d93cf58b3be0edaf95e5d717e3c94826909f342eeb3f309f9c1efbb26162103fc586e74454be8617473a1df8c014974281b5fbbb466b47c30e2fc92 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240508-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe
"C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe"
Network
Files
memory/1976-0-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1976-3-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win7-20240220-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1
Network
Files
memory/1792-0-0x00000000001E0000-0x00000000001EB000-memory.dmp
memory/1792-3-0x00000000001F0000-0x00000000001FB000-memory.dmp
memory/1792-2-0x00000000001E0000-0x00000000001EB000-memory.dmp
memory/1792-1-0x00000000001E0000-0x00000000001EB000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1912 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xpass\xpass.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2764-1-0x0000000000400000-0x000000000040B000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2308 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2308 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2308 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2308 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe
"C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"
Network
Files
memory/2308-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2308-2-0x0000000000400000-0x0000000000419000-memory.dmp
memory/1704-5-0x00000000026E0000-0x0000000002950000-memory.dmp
memory/1704-13-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1704-16-0x00000000026E0000-0x0000000002950000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /pt \"%1\" \"%2\" \"%3\" \"%4\"" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ = "ShackUp.Document" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\ = "ShackUp Document" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe,1" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /p \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew\NullFile | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe
"C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
memory/4992-0-0x0000000000400000-0x0000000000476000-memory.dmp
memory/4992-1-0x0000000000400000-0x0000000000476000-memory.dmp
memory/4992-5-0x0000000000400000-0x0000000000476000-memory.dmp
memory/4992-6-0x0000000000400000-0x0000000000476000-memory.dmp
memory/4992-12-0x0000000000400000-0x0000000000476000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win7-20240508-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe
"C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe"
Network
Files
memory/1732-0-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1732-1-0x0000000000400000-0x00000000004ED000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AntMem v13- Try to Free 64mb\64.vbs"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
158s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe
"C:\Users\Admin\AppData\Local\Temp\Encopy5\encopy5.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/2620-0-0x0000000000400000-0x000000000049C000-memory.dmp
memory/2620-1-0x0000000000400000-0x000000000049C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win7-20240221-en
Max time kernel
142s
Max time network
127s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe
"C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {d21a32e7-afb2-4ab0-93f0-467d4365cc4c};C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe;2772
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | movie.metaservices.microsoft.com | udp |
| US | 65.55.186.115:80 | movie.metaservices.microsoft.com | tcp |
Files
memory/2772-0-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2864-2-0x0000000000A00000-0x0000000000A10000-memory.dmp
memory/2772-4-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2864-6-0x0000000000A00000-0x0000000000A10000-memory.dmp
memory/2772-8-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-9-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-10-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-11-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-12-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-13-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-14-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-16-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-17-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-18-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-19-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe
"C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/3800-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3800-1-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
127s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe
"C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
memory/756-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/756-1-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2668 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 2668 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 5044 wrote to memory of 1448 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
| PID 5044 wrote to memory of 1448 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe
"C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\CSVboard v1.1\CSVboard.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv KwNQdXLaVU6WzTcdlpLw4w.0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp |
Files
memory/2668-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2668-2-0x0000000000400000-0x0000000000419000-memory.dmp
memory/5044-5-0x0000022E3CA30000-0x0000022E3CCA0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | dcc3466cb05788d5b662a285577a0494 |
| SHA1 | 41fdc376346f8d912746bf96826aedb0451d5837 |
| SHA256 | 6f21319c1e8c9d613244a5c7978e19e9367405a768c016e4a24f332c36572a9f |
| SHA512 | 1fb12e79c90d6b02a13e49f8c0c51c7db42446c50073c5185278a94e51a11cfa27fe822de1aa80a51b166f39077bd4a8cf7e00cabf31dd69f77f62888a4e12b5 |
memory/5044-20-0x0000022E3B1E0000-0x0000022E3B1E1000-memory.dmp
memory/5044-22-0x0000022E3CCA0000-0x0000022E3CCB0000-memory.dmp
memory/5044-26-0x0000022E3CCC0000-0x0000022E3CCD0000-memory.dmp
memory/5044-25-0x0000022E3CCB0000-0x0000022E3CCC0000-memory.dmp
memory/5044-29-0x0000022E3CCD0000-0x0000022E3CCE0000-memory.dmp
memory/5044-34-0x0000022E3CCF0000-0x0000022E3CD00000-memory.dmp
memory/5044-32-0x0000022E3CCE0000-0x0000022E3CCF0000-memory.dmp
memory/5044-37-0x0000022E3CD10000-0x0000022E3CD20000-memory.dmp
memory/5044-36-0x0000022E3CD00000-0x0000022E3CD10000-memory.dmp
memory/5044-39-0x0000022E3CD20000-0x0000022E3CD30000-memory.dmp
memory/5044-42-0x0000022E3CD30000-0x0000022E3CD40000-memory.dmp
memory/5044-45-0x0000022E3CD40000-0x0000022E3CD50000-memory.dmp
memory/5044-46-0x0000022E3CA30000-0x0000022E3CCA0000-memory.dmp
memory/5044-47-0x0000022E3CD50000-0x0000022E3CD60000-memory.dmp
memory/5044-50-0x0000022E3CD60000-0x0000022E3CD70000-memory.dmp
memory/5044-49-0x0000022E3CCA0000-0x0000022E3CCB0000-memory.dmp
memory/5044-54-0x0000022E3CD70000-0x0000022E3CD80000-memory.dmp
memory/5044-53-0x0000022E3CCC0000-0x0000022E3CCD0000-memory.dmp
memory/5044-52-0x0000022E3CCB0000-0x0000022E3CCC0000-memory.dmp
memory/5044-58-0x0000022E3CD80000-0x0000022E3CD90000-memory.dmp
memory/5044-57-0x0000022E3CCE0000-0x0000022E3CCF0000-memory.dmp
memory/5044-56-0x0000022E3CCD0000-0x0000022E3CCE0000-memory.dmp
memory/5044-60-0x0000022E3CD90000-0x0000022E3CDA0000-memory.dmp
memory/5044-63-0x0000022E3CCF0000-0x0000022E3CD00000-memory.dmp
memory/5044-64-0x0000022E3CDA0000-0x0000022E3CDB0000-memory.dmp
memory/5044-67-0x0000022E3CDB0000-0x0000022E3CDC0000-memory.dmp
memory/5044-66-0x0000022E3CD10000-0x0000022E3CD20000-memory.dmp
memory/5044-65-0x0000022E3CD00000-0x0000022E3CD10000-memory.dmp
memory/5044-70-0x0000022E3CDC0000-0x0000022E3CDD0000-memory.dmp
memory/5044-69-0x0000022E3CD20000-0x0000022E3CD30000-memory.dmp
memory/5044-76-0x0000022E3CDE0000-0x0000022E3CDF0000-memory.dmp
memory/5044-75-0x0000022E3CDD0000-0x0000022E3CDE0000-memory.dmp
memory/5044-74-0x0000022E3CD30000-0x0000022E3CD40000-memory.dmp
memory/5044-78-0x0000022E3CD40000-0x0000022E3CD50000-memory.dmp
memory/5044-79-0x0000022E3CDF0000-0x0000022E3CE00000-memory.dmp
memory/5044-84-0x0000022E3CE00000-0x0000022E3CE10000-memory.dmp
memory/5044-83-0x0000022E3CD50000-0x0000022E3CD60000-memory.dmp
memory/5044-87-0x0000022E3CD60000-0x0000022E3CD70000-memory.dmp
memory/5044-88-0x0000022E3CE10000-0x0000022E3CE20000-memory.dmp
memory/5044-90-0x0000022E3CD70000-0x0000022E3CD80000-memory.dmp
memory/5044-91-0x0000022E3CE20000-0x0000022E3CE30000-memory.dmp
memory/5044-92-0x0000022E3CD80000-0x0000022E3CD90000-memory.dmp
memory/5044-93-0x0000022E3CE30000-0x0000022E3CE40000-memory.dmp
memory/5044-96-0x0000022E3CD90000-0x0000022E3CDA0000-memory.dmp
memory/5044-97-0x0000022E3CE40000-0x0000022E3CE50000-memory.dmp
memory/5044-100-0x0000022E3CE50000-0x0000022E3CE60000-memory.dmp
memory/5044-99-0x0000022E3CDA0000-0x0000022E3CDB0000-memory.dmp
memory/5044-102-0x0000022E3CDB0000-0x0000022E3CDC0000-memory.dmp
memory/5044-103-0x0000022E3CE60000-0x0000022E3CE70000-memory.dmp
memory/5044-106-0x0000022E3CE70000-0x0000022E3CE80000-memory.dmp
memory/5044-105-0x0000022E3CDC0000-0x0000022E3CDD0000-memory.dmp
memory/5044-109-0x0000022E3CDD0000-0x0000022E3CDE0000-memory.dmp
memory/5044-111-0x0000022E3CE80000-0x0000022E3CE90000-memory.dmp
memory/5044-110-0x0000022E3CDE0000-0x0000022E3CDF0000-memory.dmp
memory/5044-113-0x0000022E3CDF0000-0x0000022E3CE00000-memory.dmp
memory/5044-114-0x0000022E3CE90000-0x0000022E3CEA0000-memory.dmp
memory/5044-115-0x0000022E3CE00000-0x0000022E3CE10000-memory.dmp
memory/5044-116-0x0000022E3CEA0000-0x0000022E3CEB0000-memory.dmp
memory/5044-126-0x0000022E3CE20000-0x0000022E3CE30000-memory.dmp
memory/5044-129-0x0000022E3CEE0000-0x0000022E3CEF0000-memory.dmp
memory/5044-128-0x0000022E3CE30000-0x0000022E3CE40000-memory.dmp
memory/5044-125-0x0000022E3CEC0000-0x0000022E3CED0000-memory.dmp
memory/5044-124-0x0000022E3CED0000-0x0000022E3CEE0000-memory.dmp
memory/5044-123-0x0000022E3CEB0000-0x0000022E3CEC0000-memory.dmp
memory/5044-122-0x0000022E3CE10000-0x0000022E3CE20000-memory.dmp
memory/5044-131-0x0000022E3CEF0000-0x0000022E3CF00000-memory.dmp
memory/5044-130-0x0000022E3CE40000-0x0000022E3CE50000-memory.dmp
memory/5044-134-0x0000022E3CE50000-0x0000022E3CE60000-memory.dmp
memory/5044-135-0x0000022E3CE60000-0x0000022E3CE70000-memory.dmp
memory/5044-136-0x0000022E3CE70000-0x0000022E3CE80000-memory.dmp
memory/5044-137-0x0000022E3CE80000-0x0000022E3CE90000-memory.dmp
memory/5044-138-0x0000022E3CE90000-0x0000022E3CEA0000-memory.dmp
memory/5044-139-0x0000022E3CEA0000-0x0000022E3CEB0000-memory.dmp
memory/5044-140-0x0000022E3CEB0000-0x0000022E3CEC0000-memory.dmp
memory/5044-141-0x0000022E3CEC0000-0x0000022E3CED0000-memory.dmp
memory/5044-143-0x0000022E3CEF0000-0x0000022E3CF00000-memory.dmp
memory/5044-145-0x0000022E3CF00000-0x0000022E3CF10000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe
"C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/1532-0-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1532-1-0x0000000000400000-0x0000000000407000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win7-20240220-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx\ = "mfxfile" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\ = "MicroFTP 2000 Account Export File" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\mfxfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mfx\ = "mfxfile" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.mfx | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mfx | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mfxfile\ = "MicroFTP 2000 Account Export File" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\mfxfile | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe
"C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe"
Network
Files
memory/2176-0-0x0000000000400000-0x00000000007DD000-memory.dmp
memory/2176-3-0x00000000009B0000-0x00000000009C0000-memory.dmp
memory/2176-6-0x0000000000400000-0x00000000007DD000-memory.dmp
memory/2176-8-0x00000000009B0000-0x00000000009C0000-memory.dmp
memory/2176-10-0x00000000009B0000-0x00000000009C0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.mfx\ = "mfxfile" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mfxfile\ = "MicroFTP 2000 Account Export File" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\mfxfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfx\ = "mfxfile" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.mfx | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.mfx | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\mfxfile | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile\ = "MicroFTP 2000 Account Export File" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mfxfile\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\microftp\\microftp.exe,2" | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe
"C:\Users\Admin\AppData\Local\Temp\MICROFTP\MicroFTP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/2176-0-0x0000000000400000-0x00000000007DD000-memory.dmp
memory/2176-5-0x0000000000400000-0x00000000007DD000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20231129-en
Max time kernel
141s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe
"C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {0ec4a233-e49b-47dc-9883-c26cebaffaaf};C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe;2372
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | movie.metaservices.microsoft.com | udp |
| US | 65.55.186.115:80 | movie.metaservices.microsoft.com | tcp |
Files
memory/2372-0-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2316-2-0x0000000000440000-0x0000000000450000-memory.dmp
memory/2372-4-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2316-6-0x0000000000440000-0x0000000000450000-memory.dmp
memory/2372-7-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2372-11-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2372-13-0x0000000000300000-0x0000000000301000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
128s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe
"C:\Users\Admin\AppData\Local\Temp\Spread32\Spread32.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/956-0-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/956-1-0x0000000000400000-0x00000000004ED000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240419-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe
"C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe"
Network
Files
memory/2288-0-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-2-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-5-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-7-0x00000000008F0000-0x0000000000925000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\config.txt
| MD5 | 8a33050b4e6b0bc73ff4caceaddb86ed |
| SHA1 | fc429301cca2a147b6b427fd2fdc722578cd4343 |
| SHA256 | 591fd1b180c014686e9085b792a34d6c5cab4124882492b38cd3dfab9692fca4 |
| SHA512 | 77eff53a212260f3808523682143236a96c7e40a5635af42dd738caee412bfc4c8068b4ca397cd9dfba1cd1dbea95cfc29386e1f96c2b9862ab5ae1dfe134eb3 |
memory/2288-10-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-13-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-15-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-18-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-20-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-23-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-25-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-28-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-31-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-33-0x00000000008F0000-0x0000000000925000-memory.dmp
memory/2288-36-0x00000000008F0000-0x0000000000925000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win7-20240508-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe
"C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe"
Network
Files
memory/1708-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1708-1-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
103s
Command Line
Signatures
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe
"C:\Users\Admin\AppData\Local\Temp\FoldersReport\folrep.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 152.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/1612-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1612-1-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20231129-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000508cf439700bc441852fc6e676e4f9f10000000002000000000010660000000100002000000091b60edd331fd21983d072e7b059728e3b0c342f747b2f11b7cea9180aac53fc000000000e8000000002000020000000953eae4c3f318677dead10173366748e15f5ffe6e3e2d680fec267698f90951420000000bab065b44733c5f0a4ed1d49259ba0851f15344ddefc667387e2c50ad33ca7f7400000003e44eaef24c412a6e0be7639ed994fb8be2a19c734691664cf865128c9f5684858258ee64bb8c2bf5ff0e42f19e338c192d13b133d532aec327be6608a4b7f03 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0CF2F6A1-0DD4-11EF-8221-D669B05BD432} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ac8ce1e0a1da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421400854" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000508cf439700bc441852fc6e676e4f9f100000000020000000000106600000001000020000000eba698237af57568eb642d1151e9bd6ee8107a3e3826647cdb36b9d04b0be43e000000000e8000000002000020000000bea596ab136f59c46328a593fee966af4bde5f608af5337b150ee450dca7bb5490000000a85dde4973babc91c38008e038b7927ce179ba60c46e6096d1dc4281bf381025e4ee52e0934b84df9a859074f6fe26539cdd37d077c9ff978b2f209bc2a14b8cdd5c658eaba9e6968e8cdd13397ecc5d330885411f5624d7af7b43f199fc401a78e3ba8edcd9c390a1603c6d8590273ae82ca9e6a3f57222798999f906e25b37f45ee5d224d21b8cbfae882d0b94a62c400000006c3f4e4c561f8846caa67f5927c206ff2b000792329829d120f34bb774c6dfc9a71f9d20e7e221b47cbc0858c0c277b3f3a20386917b6099bbabf857ec81fbc8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 2516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3040 wrote to memory of 2516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3040 wrote to memory of 2516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3040 wrote to memory of 2516 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\FoldersReport\report.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 23.62.61.56:80 | www.bing.com | tcp |
| NL | 23.62.61.56:80 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab324A.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar3394.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3ffbd2d03ab804b8ff8ebb2b7cb8b75 |
| SHA1 | b71bb8ba1c6c04b833dc2757e959fe4db5980220 |
| SHA256 | 57df64cf1523981a737cf577ad63f90eb1a54ef9389d2dd76ef6c75f37920100 |
| SHA512 | fcb1d263da29bda8ebb9d324a270000fcee69426b1a9105303c9ea7a70e8b8fafdf902846b7341742eaa160d44a0104892eafdf9788e1ef77ef7f92ddf1ac219 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c772c06463c093f32bc29ae3c78050b2 |
| SHA1 | 26feed8ca31f5fbcf454120aa43fc76906cb1f55 |
| SHA256 | a9b9aed4f4eeb646cbb84372a0291e44a611b382f0f6d98484578ceaea5bd25d |
| SHA512 | 0b9554a9862d694ff2aad9c0ae4fc24769c83263023ffcca2a61afd26e46743ff175c61edc838811900ce8fabafb0cbe2d830600c9436df9cbb7cc1f942257cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 9cbb34ab618217a3a718a23468febfcc |
| SHA1 | df52b12f2949d05cfeb92e2034c078ad3f6b8a06 |
| SHA256 | ed4e17bcd460ea09bc041effc8ee7f5c8e9a49b2224adc50743bdfb63a4d1ec7 |
| SHA512 | 0cbc501d0d0a583a645550de74355001980bef6cb8ace3aee42408af7609f2320b6fe61756a8bc84ae3312064415c9c49ec20fb13b46bb9475050057316cbc07 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 875ed4648db48dd8d8d8a6f88f95d1ed |
| SHA1 | 2310cf3f5caf65203829a6128f5fdb087b1794e7 |
| SHA256 | 8fb164bc389a0aaa1926fd438e53df26040b2530cc9c2393797d1558a4fe2559 |
| SHA512 | bb6cda0eb0c881e3b3c9cd6dba257f14829e191901c466dadbc9f93a8e5b5d6472a8c28a24623ed61867997130ddc17ccdeb28df881e013877649ac5d0970e5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad3bd67a308a3d2d6ff023680c1fdd9b |
| SHA1 | 9c23371fc7c1519d626465c53f94db9253fd27bd |
| SHA256 | c9b5634e0b29a6b2ffee89e0d9a9ec43a81d61ee5563f60cd0fc40c55ef77aaf |
| SHA512 | b60b5c80c29313ff936bad3f98b2fa81145c04409118454f2c72e56275a29ec5f7a9e1674da9a4bed4ce489ab7fd4257ce4ae4b63538ec2b23835edb5d326927 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c684b92482991fa4176e471aa5dac884 |
| SHA1 | 8dc34fa74d65974497c602c438c5f37f81804f0d |
| SHA256 | e7d39e0cc80ae9a7cd4faf4803ecbef768624bdffdeddebae69417c0099c4677 |
| SHA512 | 5de1c1d5d289283d4681250ebe265973ded68e7b74b2b03d7d527d180c31e391a377ba9cd74eb47679f2318cf97761f42acc2caf1f71761128838aad822bbbea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 8863015c4cbc67ffb361dc66b39473f4 |
| SHA1 | 256d262645c09f0c02126bc94da08d66d0fd759f |
| SHA256 | 6584e8f1e359faeb2a33f045c47a921dea7e01f7c10b83af611b50ae2d55a34e |
| SHA512 | d800a853008638398b55128f4d9b33fb955362e14b182c2f75b8c7970a6bd7a0e1c0847d9f6b79fd1a15486e4ab4270322aa0934a9b24a83aa505df6b88e1de9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc069ea6344641285568a4087b39328f |
| SHA1 | 8f0069d526bf125bf4953aea73503d97f773ddc3 |
| SHA256 | 9c64d07e1e8c01ba418cdb406d42137792d2e5ac98f03a253418670a9525e654 |
| SHA512 | 49b705e4bb07e3639cae88d217972f755a9a10849b6a91b9618ade0a4acd04cffd2df030161e4d73ec26e02afbda366cde3f8ba39e54a6697f7e43454464f3bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e3bcf3c5ad61479d6f892335e551ba0 |
| SHA1 | 09b4408aadcd842063e944e17e22d4e8dbf2fa49 |
| SHA256 | cd387c5d307133704df78091f15a23746ec38612b69f82a76f5b17f69c553f91 |
| SHA512 | 20b1e34abcd4d17e642d89d764a1db6375d2bff76527e0ad7d1ee65c19ad0cd2581b2b0237a6a44d54be607e60df77c34f9963aac9e3292edb7c078745776835 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c7918235a632223fcb3098005dff157 |
| SHA1 | 827f2d0b1f80bfd5c4ef8532269b1937171f419b |
| SHA256 | cd68b427ccffd75a0a4854091568224f72f2f1039ea2d5d3a6c28f8c76443cd5 |
| SHA512 | 491de946a00ce2af9dae9699c9b1beb5dbbd40ad4759a5cefd50b48b169c768fd896d3d9b26c492ca75b5a1f7855b6b6b9bc1a08d59a9c3fd258129f9e2ab554 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ee26f13007e65a691b4e056a544c834 |
| SHA1 | 4c0f9bb0501f86ffe42d66addf581cc151514008 |
| SHA256 | d1928837941daac3b1cac6de8d4d26ef85a5acb17eff2745a1b100478b65d49f |
| SHA512 | ae1d8ecb898158db28195ee28db14d7fb8e1b17f09ff9fea556689cc0059fe6051747edd9747b23e409a232dd598b607a78fafa62ee2ebdd475e8ae9bddd5668 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1374a2f775cabaa31f99f62eb80d7a6 |
| SHA1 | b16c3ae90dc35e30d1d9e08dbc50960d98af61d1 |
| SHA256 | 6edf177643434ef3bdbddf10cdf095da189224917b919ae2a63e15ccf0292d31 |
| SHA512 | 3a86bee0b7581db9f094a24ab9428168f5e8a89b53bcb01a65340be85d5b6c0080f166a56115285a875a908c168d53cba5475e22cafa2a482bdcbb95ac275d8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8bdbeca05f94f48944d80134005ecd8c |
| SHA1 | 2e6d41566e729fe1686a5c79b4d8eec7d2ed9360 |
| SHA256 | b008aad47fd7b15fad2a872502dcfbad74964be8e5a0772925c5043cbadb789e |
| SHA512 | ca6bcda8b02046c7bb2e43148dc2a182f077f973738a4d136f19aedc5d4aadfdb041bba4dc7a9e6225364f6e426049cf9fc7d063ade7bfb75caa307585767346 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 306b0ee8df5daf196eda1dc5e86e5be3 |
| SHA1 | 8b0efcfadbfa20863b213a11fd7af34c6850d9cd |
| SHA256 | 9d7f00dacc6639ce5c40469d0bad21832385a0d8925c635762b13d60004685cd |
| SHA512 | e1028b6b81d0cfcd1bb794ded87f75b84ab82bea5e6e426c4619cb00a31e9e75c89293736878e5de04906c182d00c22e893c94e6cd6518d9531a77c03a953405 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f48dfae50b2d1470460645b14bb504b7 |
| SHA1 | 935159ce0e5ae355454bc79df185aa5e75d3b2b1 |
| SHA256 | f86437eeb776d44e42979e44cb89b316b4c21fe26a36440f026e36d7b4188dee |
| SHA512 | 23460a7f3005caad79a62b10d06185e86b8909432946f2eb299c66a5af82d3a5882e314931ca0f1464de001bf3ea39cb5a33be58b5280c80e31380e8d0c69dc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fec617d062ca42835969ff6352dc16a |
| SHA1 | 7270f4d320692dcdcaeabecb08de9c76a8be5deb |
| SHA256 | 014a6922cbdfdf5855582c20bac9af98b56419e506eaa205dace7708b9c09563 |
| SHA512 | d5f66a3d5932fc77bca16e41eb9a1cc927bae6e0213d7afc0bb734687b57db65382944814c7524a27ed0aa3299d35828820f0d0ba81b82bfdeb3d4b2e144cfae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa22ebf0471828c012fe6c13b2147d03 |
| SHA1 | e957fa2631b8b243caa3bd966969d97d40ba4ce8 |
| SHA256 | 711861e55390a806f5703ce33d9ab8263d41a7ca738c43d2027baeb57f97012f |
| SHA512 | 88002a6168589724ae71fe2f7febd0745393837ed4c276e5f3391182bbcd699c66817e0adc01573358c87ae4da1ce6b04488543d6e65c023ff92f684cff9a5cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6db072c46af4bfaf7c98e3a9cfacf2f |
| SHA1 | f88e7f073ec8b5e8781913c2d6839cf2522df9a1 |
| SHA256 | cfdd15994d45bdab93896b49593058f7d66359bb5a3bafacc76445ca920a64a2 |
| SHA512 | 13c361d2f5f45d5801972d9d59125f6d6635489c27c59075cd7941c7e56aa87daa2344ed7522efe17659fddba725f1b2adfae3f79b38c0d954d7dd2f8ae1853c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15efd4124a44c379db940a75c0c16f99 |
| SHA1 | b0314ef50e4dbe209ae159fde20e7b8a7bc806e6 |
| SHA256 | 3c01fb5ac4a39c06b9e0dc435284a194f13ad02e147dd430e20929d4f5d72a6b |
| SHA512 | 35a7282739ee9593e571d6e6a1184bb0993596a553795d9b4794469d65bfbc7048e74ef110e3f20a97a909de3a9b08a3b573b451e3e809c8aab7bae037375aed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e04b0add276ff3b0c38e0357c7ceac5f |
| SHA1 | 3d9f80fcde99b7313568494f9d841567701eaf20 |
| SHA256 | b552cd86b724c8ae8a8ba311e2321b069e8d5a8e01c89c4cf319371ba9fb8360 |
| SHA512 | 25ab815711ec8525a3672256544b867c549a2c0c743ea7b9d930f5294fdcfd38a9d3b2eba265dae0b9fa714d3e0bb95e7965e44d4e0552a62e76c974b20b0de3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7bccba0189cdce4b0dade4bb3241dbf4 |
| SHA1 | 79ea6145ec83ee8f31aac70c6fa5bea0060af11b |
| SHA256 | 78bef118a62c4d25986ebbad88bd14ca6be2db41649791dda13b1e6ac8f013c3 |
| SHA512 | 3132c0c18cd0a313b98621e859451ccd53429a90b078307697c1ca70a62b9368cc320bc93d8b59ade22ab4e64add17ca33bdfdf8afe5784dfec3e6a039468f01 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win7-20240221-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew\NullFile | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /pt \"%1\" \"%2\" \"%3\" \"%4\"" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe /p \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto\command | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ShellNew | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\ = "ShackUp Document" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\printto | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu\ = "ShackUp.Document" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe,1" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShackUp\\ShackUp.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\print | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.shu | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShackUp.Document\shell | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe
"C:\Users\Admin\AppData\Local\Temp\ShackUp\ShackUp.exe"
Network
Files
memory/2868-0-0x0000000000400000-0x0000000000476000-memory.dmp
memory/2868-1-0x0000000000400000-0x0000000000476000-memory.dmp
memory/2868-6-0x0000000000400000-0x0000000000476000-memory.dmp
memory/2868-12-0x0000000000400000-0x0000000000476000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe
"C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\xcalday.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
memory/2216-0-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-2-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-5-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-7-0x0000000000560000-0x0000000000595000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xcalday Calendar\config.txt
| MD5 | 8a33050b4e6b0bc73ff4caceaddb86ed |
| SHA1 | fc429301cca2a147b6b427fd2fdc722578cd4343 |
| SHA256 | 591fd1b180c014686e9085b792a34d6c5cab4124882492b38cd3dfab9692fca4 |
| SHA512 | 77eff53a212260f3808523682143236a96c7e40a5635af42dd738caee412bfc4c8068b4ca397cd9dfba1cd1dbea95cfc29386e1f96c2b9862ab5ae1dfe134eb3 |
memory/2216-10-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-13-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-15-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-18-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-21-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-23-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-26-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-28-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-31-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-34-0x0000000000560000-0x0000000000595000-memory.dmp
memory/2216-36-0x0000000000560000-0x0000000000595000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1512 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe | C:\Windows\splwow64.exe |
| PID 1512 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe
"C:\Users\Admin\AppData\Local\Temp\Eve\eve.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/1512-0-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-1-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-2-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-3-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-4-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-5-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-6-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-7-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-8-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-9-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-10-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-11-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-12-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-13-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1512-14-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
103s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe
"C:\Users\Admin\AppData\Local\Temp\PDFproducer\PDFproducer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2344-0-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2344-3-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240221-en
Max time kernel
140s
Max time network
117s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe
"C:\Users\Admin\AppData\Local\Temp\Password Generator\pg.exe"
Network
Files
memory/1952-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1952-1-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240215-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe
"C:\Users\Admin\AppData\Local\Temp\TheGun\THEGUN.exe"
Network
Files
memory/2228-0-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2228-1-0x0000000000400000-0x0000000000407000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win7-20240508-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe
"C:\Users\Admin\AppData\Local\Temp\1680kb DMF Floppy Office Xtort Homage 2021 Edition\100k zipper v1.21\100ziper.exe"
Network
Files
memory/2232-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2232-1-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
103s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AntMem v13- Try to Free 64mb\64.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.14.97.104.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 07:16
Reported
2024-05-09 07:18
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
94s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe
"C:\Users\Admin\AppData\Local\Temp\Atlantis Nova\Atlantis.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4968-0-0x0000000000400000-0x000000000052A000-memory.dmp
memory/4968-1-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/4968-5-0x0000000000400000-0x000000000052A000-memory.dmp
memory/4968-7-0x00000000029E0000-0x00000000029E1000-memory.dmp