Analysis Overview
SHA256
be41a99f8f216166f65b45c5c21f1c06cd2970a9ce6d82f1315da347f4afe661
Threat Level: Shows suspicious behavior
The file Text20gif.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Detects Pyinstaller
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 22:43
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3300 wrote to memory of 3296 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe |
| PID 3300 wrote to memory of 3296 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\create_gif.bat"
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe
gifski --fps 50 -o clip.gif frames/frame*.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240426-en
Max time kernel
130s
Max time network
107s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe
"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.md\ = "md_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.md | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1952 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1952 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2496 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2496 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2496 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2496 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 492f9437a655db4ea46bc2490f356297 |
| SHA1 | 0e73ac28be2af6a2eb86ef17ecc4ec7c61ff1ee2 |
| SHA256 | 8756bf642ea2456b68b6e7b50a223295bdf359a4340d5bb890e04315f2e7575b |
| SHA512 | cb2fae2bd361853060187aa8db2ae96f25d4e49b4e92ff3d2fa1aa6dcc4700ba5a5e133dd888a6b5b30e1cb29b8983878927afa0c622ba29f10aa8b4d9b8f92b |
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
103s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 2016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\fontview.exe |
| PID 1100 wrote to memory of 2016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\fontview.exe |
| PID 1100 wrote to memory of 2016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\fontview.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf
C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240220-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe |
| PID 2208 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe |
| PID 2208 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe
"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe
"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22082\python38.dll
| MD5 | 9e3ded73b6263b671a1d6c98256b721a |
| SHA1 | 814045f7a2be0ab7a8d34dc8156ba9ca06253ab9 |
| SHA256 | 215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87 |
| SHA512 | 8323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\base_library.zip
| MD5 | ef85fd90311ad1d32e5eb93e6195a2da |
| SHA1 | 34b356978571872f6ca3b7779ea9be265db65894 |
| SHA256 | 50b2065fb651a5935816aca199e0dc8eeaaa73363428c83cdcdcb49da4940163 |
| SHA512 | 03665836836bf5f1c29fd270628d86f8b6cb5bdb3d43eb36894853a40dfa533abe76c5c74466d3c636c8f9323c323f50725ea569bca8eee495f71fd1677248c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\_ctypes.pyd
| MD5 | 9082abcff2c89a406e7eddc1a1d4afd9 |
| SHA1 | b114950c87dd1c544cf02704f5164a315993a716 |
| SHA256 | 591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44 |
| SHA512 | 3176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\_socket.pyd
| MD5 | 458f0f0ed8d16019d7c2d157bddea94b |
| SHA1 | d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57 |
| SHA256 | e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42 |
| SHA512 | 00eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\select.pyd
| MD5 | ac8caceeaa28137a14784563d126ed7e |
| SHA1 | 4dcbe48eaa53d5c7d91c420df823dbff54f4da5f |
| SHA256 | 8e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78 |
| SHA512 | b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\_bz2.pyd
| MD5 | 70a3a9e6d086a965bd164eb171f3f537 |
| SHA1 | a85dea115761d8a85ea08004fa65d975bbf37fdc |
| SHA256 | 5294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57 |
| SHA512 | 447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\_lzma.pyd
| MD5 | 24919c42c43d9ef08d4e372c339d9e47 |
| SHA1 | 4ed83cdab8830605a7bb75cb03a5764b8ee5c886 |
| SHA256 | d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f |
| SHA512 | d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\pyexpat.pyd
| MD5 | b9927b95ff204d9149b6ef7430e70220 |
| SHA1 | 502e0311a32bd5ce2dea87ffce21ddbaf255b07f |
| SHA256 | e383225fd8917977fe16f628f9bc9c9cfaf346feb3a90f1f0615dbfb64cc1496 |
| SHA512 | fc5e879dbce1585cf2726c7db480e81b7180276c8c537b43e33b74e47a0c6d7a292b9843cd60b45046d3dabc9b165891e3ac57b7bd39a391bfea1b9aae51fb30 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\_ssl.pyd
| MD5 | 486431c1032139d202565800a0729a3b |
| SHA1 | 0c43a02f1ba3162033410926fe4b22fe79ed81f1 |
| SHA256 | 3dce8bd61cc46761033cd1457c64fe66ff306ea77aadf5543834a9be3b50c074 |
| SHA512 | 4906d70e76ee1dc308027662613b29872f1c97f3e6390c913f1bb456c7be172989f6d1c5671500c23e7d5d054281e10de8d822350aa5606b73d7518b7c4beabe |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\_asyncio.pyd
| MD5 | 8c28ec788e715e3ca5dc2dd42cf9d250 |
| SHA1 | 16e1b4c324f6f2fa7a206b5fbdd652477756825a |
| SHA256 | 91a6cb5ff61c48cdfff369341aa7ad85cca7a3cd32e714f6e80187f7ee399d3b |
| SHA512 | be67d56fc6c7b672467626a30ae56943e6a9f1fbcc66c9edef5a67935bf314c7f745e6029eade27c4acd525e38ffcda77e3f229a7a5f4ada35547d39f2955a00 |
\Users\Admin\AppData\Local\Temp\_MEI22082\_overlapped.pyd
| MD5 | 3306d52d49aa0107495e138bf5f64694 |
| SHA1 | ddf8a31cde3e34fe2ba4f8ba57ab1f47a379046f |
| SHA256 | 3f3032201cc0e94e73d227f905a99cbf5c117b16fdd29eea210fe6cfdeed38d5 |
| SHA512 | 6fe3d3ced390572cdc874752b095c7adb0b2c1a5251d614da47c8bfd20dce1fc1a32c7b775dceaca5633cbdf33b4e47941c95a8a3c80a1341debdd6882275f0d |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\PIL\_imaging.cp38-win_amd64.pyd
| MD5 | b684a867c543afa326e50f0baa1ecb6d |
| SHA1 | 4f20d3b8c647fc424bf61ea48a3d275838c99f3a |
| SHA256 | 44fd0c580d2ebbc7899f52fccae53c36cc89f502d593a8341007d21316350b26 |
| SHA512 | 45883d15c042b2e85dd74cd61306d8dd0fae5084f8971164ea1a7716f095036ced0b892a946660e2b68603362186946f9cf2de04f95ae0d46994a01f86b95e18 |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\VCRUNTIME140_1.dll
| MD5 | 135359d350f72ad4bf716b764d39e749 |
| SHA1 | 2e59d9bbcce356f0fece56c9c4917a5cacec63d7 |
| SHA256 | 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32 |
| SHA512 | cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba |
C:\Users\Admin\AppData\Local\Temp\_MEI22082\PIL\_imagingft.cp38-win_amd64.pyd
| MD5 | 6447dc0adb8dafc7cfe790366ee0d6e5 |
| SHA1 | e69006d5cde6eae7132e1f639abf54107dd4afdd |
| SHA256 | ea3cd8c3f3e6a1bd76eaf7abb1b3d329bf78b2bd0f716ef5fd47644c56c822d3 |
| SHA512 | 8ca2b3ce7bee04b04f26121144c77407c37439ae3d3c590799ae7ce48171b71e97b662bd1f14e7ca7474d9a280a2cd365f428a1ccfca0cb205ab8228a2b039d5 |
\Users\Admin\AppData\Local\Temp\_MEI22082\MSVCP140.dll
| MD5 | 6da7f4530edb350cf9d967d969ccecf8 |
| SHA1 | 3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9 |
| SHA256 | 9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da |
| SHA512 | 1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab |
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe |
| PID 2972 wrote to memory of 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe
"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe
"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29722\python38.dll
| MD5 | 9e3ded73b6263b671a1d6c98256b721a |
| SHA1 | 814045f7a2be0ab7a8d34dc8156ba9ca06253ab9 |
| SHA256 | 215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87 |
| SHA512 | 8323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\base_library.zip
| MD5 | ef85fd90311ad1d32e5eb93e6195a2da |
| SHA1 | 34b356978571872f6ca3b7779ea9be265db65894 |
| SHA256 | 50b2065fb651a5935816aca199e0dc8eeaaa73363428c83cdcdcb49da4940163 |
| SHA512 | 03665836836bf5f1c29fd270628d86f8b6cb5bdb3d43eb36894853a40dfa533abe76c5c74466d3c636c8f9323c323f50725ea569bca8eee495f71fd1677248c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_ctypes.pyd
| MD5 | 9082abcff2c89a406e7eddc1a1d4afd9 |
| SHA1 | b114950c87dd1c544cf02704f5164a315993a716 |
| SHA256 | 591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44 |
| SHA512 | 3176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_socket.pyd
| MD5 | 458f0f0ed8d16019d7c2d157bddea94b |
| SHA1 | d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57 |
| SHA256 | e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42 |
| SHA512 | 00eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\select.pyd
| MD5 | ac8caceeaa28137a14784563d126ed7e |
| SHA1 | 4dcbe48eaa53d5c7d91c420df823dbff54f4da5f |
| SHA256 | 8e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78 |
| SHA512 | b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_bz2.pyd
| MD5 | 70a3a9e6d086a965bd164eb171f3f537 |
| SHA1 | a85dea115761d8a85ea08004fa65d975bbf37fdc |
| SHA256 | 5294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57 |
| SHA512 | 447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_lzma.pyd
| MD5 | 24919c42c43d9ef08d4e372c339d9e47 |
| SHA1 | 4ed83cdab8830605a7bb75cb03a5764b8ee5c886 |
| SHA256 | d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f |
| SHA512 | d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\pyexpat.pyd
| MD5 | b9927b95ff204d9149b6ef7430e70220 |
| SHA1 | 502e0311a32bd5ce2dea87ffce21ddbaf255b07f |
| SHA256 | e383225fd8917977fe16f628f9bc9c9cfaf346feb3a90f1f0615dbfb64cc1496 |
| SHA512 | fc5e879dbce1585cf2726c7db480e81b7180276c8c537b43e33b74e47a0c6d7a292b9843cd60b45046d3dabc9b165891e3ac57b7bd39a391bfea1b9aae51fb30 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_ssl.pyd
| MD5 | 486431c1032139d202565800a0729a3b |
| SHA1 | 0c43a02f1ba3162033410926fe4b22fe79ed81f1 |
| SHA256 | 3dce8bd61cc46761033cd1457c64fe66ff306ea77aadf5543834a9be3b50c074 |
| SHA512 | 4906d70e76ee1dc308027662613b29872f1c97f3e6390c913f1bb456c7be172989f6d1c5671500c23e7d5d054281e10de8d822350aa5606b73d7518b7c4beabe |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_asyncio.pyd
| MD5 | 8c28ec788e715e3ca5dc2dd42cf9d250 |
| SHA1 | 16e1b4c324f6f2fa7a206b5fbdd652477756825a |
| SHA256 | 91a6cb5ff61c48cdfff369341aa7ad85cca7a3cd32e714f6e80187f7ee399d3b |
| SHA512 | be67d56fc6c7b672467626a30ae56943e6a9f1fbcc66c9edef5a67935bf314c7f745e6029eade27c4acd525e38ffcda77e3f229a7a5f4ada35547d39f2955a00 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\_overlapped.pyd
| MD5 | 3306d52d49aa0107495e138bf5f64694 |
| SHA1 | ddf8a31cde3e34fe2ba4f8ba57ab1f47a379046f |
| SHA256 | 3f3032201cc0e94e73d227f905a99cbf5c117b16fdd29eea210fe6cfdeed38d5 |
| SHA512 | 6fe3d3ced390572cdc874752b095c7adb0b2c1a5251d614da47c8bfd20dce1fc1a32c7b775dceaca5633cbdf33b4e47941c95a8a3c80a1341debdd6882275f0d |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\PIL\_imaging.cp38-win_amd64.pyd
| MD5 | b684a867c543afa326e50f0baa1ecb6d |
| SHA1 | 4f20d3b8c647fc424bf61ea48a3d275838c99f3a |
| SHA256 | 44fd0c580d2ebbc7899f52fccae53c36cc89f502d593a8341007d21316350b26 |
| SHA512 | 45883d15c042b2e85dd74cd61306d8dd0fae5084f8971164ea1a7716f095036ced0b892a946660e2b68603362186946f9cf2de04f95ae0d46994a01f86b95e18 |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\VCRUNTIME140_1.dll
| MD5 | 135359d350f72ad4bf716b764d39e749 |
| SHA1 | 2e59d9bbcce356f0fece56c9c4917a5cacec63d7 |
| SHA256 | 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32 |
| SHA512 | cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\MSVCP140.dll
| MD5 | 6da7f4530edb350cf9d967d969ccecf8 |
| SHA1 | 3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9 |
| SHA256 | 9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da |
| SHA512 | 1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab |
C:\Users\Admin\AppData\Local\Temp\_MEI29722\PIL\_imagingft.cp38-win_amd64.pyd
| MD5 | 6447dc0adb8dafc7cfe790366ee0d6e5 |
| SHA1 | e69006d5cde6eae7132e1f639abf54107dd4afdd |
| SHA256 | ea3cd8c3f3e6a1bd76eaf7abb1b3d329bf78b2bd0f716ef5fd47644c56c822d3 |
| SHA512 | 8ca2b3ce7bee04b04f26121144c77407c37439ae3d3c590799ae7ce48171b71e97b662bd1f14e7ca7474d9a280a2cd365f428a1ccfca0cb205ab8228a2b039d5 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1924 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1924 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2632 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2632 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2632 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2632 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 84672eb992c1fc61776d86ba0fda0ede |
| SHA1 | fb49f9fc39db120d2df3322330bf5b184e5ea699 |
| SHA256 | 799c2ae7f4746573dd3b1e4aa829d466ee37e859e3271706f9c956ec9d20d17d |
| SHA512 | 34a3399c8841e423f101c3d81752f87121092ab0b8ec42fcc6aae603897e60198579357b9926741a39214a05063ec26447c9e9d1ce6646951d49999297d35de2 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
109s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bane2.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe |
| PID 2460 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe |
| PID 2460 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\create_gif.bat"
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe
gifski --fps 50 -o clip.gif frames/frame*.png
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe
"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd951702000000000200000000001066000000010000200000003b1894c90f940c2e6085136b67b1ace26e1d1455923873a90470c34c7d29c65b000000000e8000000002000020000000d2b188d07a3f0988316f0b40de648c91c6bc0b4e24d3ecad46cd480fd34758422000000022086a3237a60a3337cb26f552235df84b7fa4cbbfb9724cae219aa387ccb27140000000cb5f61bfee70ff998a137b6ba72625eabdce3ae99923bc22b1b8ea7069e48f1b60940efdbd0f83219f36454e1779405554c631463e612c1684ffea4e7cc9bac9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0ee987ed0abda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2021142433" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108048" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108048" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A282DDA3-17C3-11EF-B9F7-5E2396FD2BC6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd9517020000000002000000000010660000000100002000000045f3438767d6d46072d1b455cd16f8b480301b594ca1a6886232f7877e29778c000000000e8000000002000020000000044db04f57c61378a76f63f3fb389031239f58c1b6bb308238d53b7370cc8b0b20000000659659d172f47c2732c3609c0927b402d24ce15bd52e31bb70bb4b495d42b1bd400000000824dafc5a9b8bf598a08e46b48726d6539b56384d47e3c5e134619975a567216c10f0a1fe91552d4e658093babac11d6de7ba3bea02b4b4efe16cdede035c8c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09bb17dd0abda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108048" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423096433" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2021142433" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2070986227" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2400 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2332 wrote to memory of 2400 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2332 wrote to memory of 2400 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\logo.gif
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5196 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 78207b82cd88741596bfbe35667bef0c |
| SHA1 | d2aa9f014d12219d074f7b4c92efebbf8e615791 |
| SHA256 | 55b97539e3725b2fd6fdbb103e48b51e8cc3b4dd33e3e3c5d74bdfd54e48d01d |
| SHA512 | 2b7a26550c51d8bf6eceafcf1ca47f2f02f02700b13ac2684442592b5a774f9a667227ac9865387234c556fd24de20239edd1b2e9085025840ecbc844a480083 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 1df8c673305a1cc5256117813d43cfc2 |
| SHA1 | c884e950c1414c10d908ef09026038be70fe3852 |
| SHA256 | aa854bda9c1ec2a0482b866d9986b7315261c54dc8e98e22d19a509adb43dd42 |
| SHA512 | 97bfaf072088ee1f60ad59005c624a216f3dd2e3018ad265371153bf347d3fa328da258c2df893dfb54fc48a5b9c8cb1cd35b62bc5b2e92a6721f6d56e1c87da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.md | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.md\ = "md_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 2736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1860 wrote to memory of 2736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1860 wrote to memory of 2736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2736 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2736 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2736 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2736 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 78b9b98104c4c026876410fb28187d09 |
| SHA1 | 41a492e60e9ab150d7d57c72252854d249d1ac12 |
| SHA256 | 485a5bab18d8082ca3cad932145ce0f0176b107ced9c562db500fbbab7c4e717 |
| SHA512 | c6035b0077d72de1f154c56a23185fcd1d07bd90088ae652e7929bdd15e420b93f58be768328c6d2bcbb953d04274adb93c578831b4ee32f1715d670ab622c54 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240508-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2052 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2052 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3068 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e150025d503eff9f672c2b41b1d538a3 |
| SHA1 | 12ac612cb01cabd79a09a2a9d26c48cf3938e74e |
| SHA256 | 54f2b84cc035b358bd6fb1287ee007ff8d033970d8f5f56a67d759b8dfc6f91e |
| SHA512 | 56b25f26f16cfdd5fd369bbd9020edd65004eb6477f49baadb6fad439088e132d5c423998a7341b379b7e6404bcba799643b7a22f1e11e14a2ce07945a3375d3 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240215-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bane2.png
Network
Files
memory/3012-0-0x0000000001D70000-0x0000000001D71000-memory.dmp
memory/3012-1-0x0000000001D70000-0x0000000001D71000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.md | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.md\ = "md_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 2740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1996 wrote to memory of 2740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1996 wrote to memory of 2740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2740 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2740 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2740 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2740 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 486ed627bef78a833cc102aa89f4d97e |
| SHA1 | 9eb4fffa01776c681614e2054a933dab4c7d5b29 |
| SHA256 | 3ea7ba863b024f5bf57055da05e8d3c194cf06b83a3eb611d48ccdadfcfaa000 |
| SHA512 | 548f670339aee22c1d35a3984b28abd325d07327d526d5bcce61abf0ae682f28ee420c74845da35ad2625cc9f2d09c17d8be37acd8ba725182cfe6b16c529906 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win7-20240419-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ae9073d0abda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000e544795a3d12ac216594bac58eda5b3c17f8cefa03b1e0a6504e5bff9720ed6e000000000e800000000200002000000047ce3075877ffc54e296756114defa773a1a046e6f11c4dac97f43f3f978903f900000008226d1802d6dbc62c5691cbc9301c0ef995ad90fdd53a17a5a06891bc28128b50cd2ef5e13bec31c42a7e60527cfc9c3c80018afcf9396bdc900e96248fdf35a81ecc98975697bc80a13632d626a9a0e83f504905a20327d07d2aba275ec8e6f79c215b7750f0551b7b28a7caef7ac991be4847b4ae06cc04dcb64f3eb6ff1e5f6bd08f059045b49266a9a993ec5b6d1400000003c3cf1fd07a77316cb237eb04d285f1c7810067d8456e867379c3fc7c57c6ac2866e830401cd362407662db803ec06b1938a68766728eb279060406912571384 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9EF16341-17C3-11EF-97A3-C6E8F1D2B27D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000022e568a2856f7bfd506551df52074442a8abcceae52e1289f404dfc807d6943e000000000e8000000002000020000000cebbd14a946d5a11477e2b7d75f26d6867cafe0d5af55425474c39af464cca9320000000cf7343e6d109dbeb3fe195e87b140cd2ad7cc785d060c30309ed032bbea8a39b40000000c134e9ef4350282ec85ff219b113d558402e4abde93ded8e921e77805d1ec6e27b70c8d3229b2ddc3b721747de2ef5e4faf68abb71634708c639df9a090019c2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422493309" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 1648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2428 wrote to memory of 1648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2428 wrote to memory of 1648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2428 wrote to memory of 1648 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\logo.gif
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3046.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar30B7.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27d9d4ac76bf9ea0735aa2f122bcf709 |
| SHA1 | caa61cdb6f6e3ebb9672f4b0c8b2cef104f239a2 |
| SHA256 | fa98d87e160fc88077add606e59becd52ce98f54c642b8b2b1bc510f3dd76e00 |
| SHA512 | 24db14762d9f6c2732d9d82484ec49d76811a10cb7bce6417e55b774dd57647f70e0f5fdf939b0492c49ffca036701b5cda0c7d3a3a7934e189a209116b77ee2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 68274d906bab4148c96956336983f949 |
| SHA1 | 58d4f0915eb371380d4facf2d7c74c8a3fb7a81b |
| SHA256 | 71d1ee2b737ee89cbdc7e805d37bb166a6a30ed754cddee0b1ed97a4c649ff65 |
| SHA512 | 6f6d8a89aed16a0e83bfe51d5577fad2922825afa62373646e2dae0a4e7688dc6202c77d9a62d5aaa94bb8b0969a025c94bb91e1aa8fc28e7ec3f0afbba6448e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f84eba26d85650b502ccc2acff4f20cb |
| SHA1 | 7494f639ac5595e2b97f4af123df6b49de620dd2 |
| SHA256 | d46bc26741f6b6d02bd491ad0ebf62ac85737fdbaabdb285bb21a6f28d7423f3 |
| SHA512 | e235ebaf620ecc42b849dad5d8a3b3ccb06493d60c8f452fe477e07400999a8fad3c693614d738bb7a9b1d68271a5b2fe7bdd0fe01726ab63350b5829dbf3234 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 498c10c9e8d5e2b36b295df41870fb9a |
| SHA1 | b2b606af0da02de60e8678d1969716d4f18d5108 |
| SHA256 | 9e06b8b0dc3165f2d3cefbb34e341880985a24e15a149dfab400fe23f9af2596 |
| SHA512 | 7216a3c2c415284a30edb982d5d00c03dfe66d27f7b9ea8d3f4e0d6184d21e9d6b29c50cca9ca80758799299b1b2daa8ac2c00c01f4359642ab07001f040e395 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c30acc56552450fce56acaef99f76cac |
| SHA1 | 8e7e1aa5e003ba6ab8b33f9505535d8964dba87b |
| SHA256 | 810eda05c415ab1477bfb24825b533192766fb88428e727f2a85bb07385adb6c |
| SHA512 | 5931123de665196e90a3fd926c87b9f94dcd9c2fbf6732d72dd9804cb7260348bff86b10065879f3f162765e777567bc5c144f0a924349d756fba999d8a917f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 621dce0ab501a551fbe6d75374c03376 |
| SHA1 | b32930cc82013dd9d3913b2ca1b49c837aaa2faa |
| SHA256 | 79f2570929a5b1155f6c1ffdb5ff2e40bafd4c911e74322b3825e211f1298d71 |
| SHA512 | eb42470c95108ab4166c6f359502ab93ec31f5ecc97fb9c9cb5684c6dc2d278be8147dc163c11858224fbda0e549588ea7c947f7a3553e1fa60ded42788159e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5fbeedce04feef196f6945afff8a7b71 |
| SHA1 | 51f35af009d2d9f1c149957d4b12cd24e008b92c |
| SHA256 | 27d5ecfb9543a55609eb046ada889613595595b2279a543c22bf1f9d22378490 |
| SHA512 | 707587289351025386ff4a16d653dd4014abce4fb8f55d078b511edb5a777add3e3ec3dbedb26b99849b410aba99e5971c40d22a78925b51cc88a377cc5bcb5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0132aa8db7dd434a62de57d08e00efc4 |
| SHA1 | 3296c301ec83d3c20a34f7fa1aa68df0a1ee911b |
| SHA256 | d4cc683e8f885fd032e2c6aeb8b394cc42ad539b67b5104a56c62e815cf0583b |
| SHA512 | ab8431dde7bd7d90898f2e30a1a4191601100aafcc383372523f0d6dcbb2394885d5d4ba3dc63cd9624084fa4c1f63a6dc5a08f7f164d150603efb3b4f5377da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b90c20d1fced91ffeff59c9a9fd827c3 |
| SHA1 | 52073b06ab4d3aaafe41f2fa2ec4ff2520aae3a9 |
| SHA256 | ad67c0704b3e76a73da85c7825f1ea1af8d51fc82e975553bece21d9be6903a0 |
| SHA512 | be16a93a29dd883a3fa6eeb6c7e78a1fe08ec1ec3b43bf3c6a0c43946e7141483f728d4a5759503d426e44c754dbfa3df46cdcacdf642d5460758fa75b37609c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 870cf68fed589c8c1944ee277912c032 |
| SHA1 | 01b17fa91a948adf15e69b821c37ae12607c68b5 |
| SHA256 | 55cb3fb0703772cc334c2df0492115c0ce159a4eef67779fe8f0037c3cd93f8c |
| SHA512 | b239c01e5ebadf6ace617a8d328784cc0865a1d1199bb16f298857619a29390cfaab5cadd52756cabdf70fd9f16589ca1c37967531fb8ac06b7b30a3c8dd3cda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a04c1db6666efcdc35aef73157cae15c |
| SHA1 | 83f69ed1d4e20c1e0bf0f7a65107f90e9e520166 |
| SHA256 | c3d4d2fe7c2fb11f5e9a0892001f87c22deb1dba2226a5fa8e634111d7ec11ff |
| SHA512 | b1b99cdbab35a0327bce5a530e1619d60c73b92620c3e84aae2fceca364c993a33cd4d7ec9c42b7051b4f36182d1e8c0a84126369000301356cb32a4ae96f2b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7afd0cd83fa556df230652485f3d082a |
| SHA1 | e99ffa293fa977aaadd582c26146ff9bff5e4819 |
| SHA256 | 5bd47be35f6fc0380ed45c000138e083c429e58608b2f39937180c601b482659 |
| SHA512 | df032e6087707211f796f9ccc6d72b182976d04c5e62e8efa34577f40eeb6e097d856e49d6d3f256ca49d2b0da55a36a18945c2fbd8a2c4af42bcf6e96ec802b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f30dcbf695e7208056092e55852a127 |
| SHA1 | a5b92fbfc756cf21291ca11df771df6e9f26114a |
| SHA256 | 52afb61432d0812e4ad617bd398276ba2c1ada97e2900b1eb22fc612bb26577f |
| SHA512 | 0490672ca57eb4263578de3f8eaabba59c9305d7d082a28ec53d58d96a5abe4fa282c1b428ef7b20969044165b236ead3ae42738e60c459298ad82ce1249b99a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1894e5f505047fbedd065275ffea5f2 |
| SHA1 | dc7c651bb5acaa7e0ac87289a913601eeabc7950 |
| SHA256 | f73af967ce7c0f50c5b624e25805bcafebae79f73823f31f6d6e6d6d86996018 |
| SHA512 | 4c1ef7a63d7851e0972b556012712e09d02dc4179830f5b734b32804aab0ca2fd709a7984bf89d7886fb7ae25da5af0bfbad933f3c96449e6c88a6c9bd40a673 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95026272644781c9badbd40782373c79 |
| SHA1 | 5b42053939704c877ce32e465e5d8742401de4d7 |
| SHA256 | 944830e7076a0cf4051e4fc2ddea232f2e5e491d255533365f65ae15fc138a35 |
| SHA512 | cd36d9befec7eee352ab868cff95624c40c75781e937952e4458bdebe0dbb466c9f49b84157ea97f1135266204ae902096a67eb1cbfbf121562d6c673e64c635 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b85f819497411bfd7f6f9b46c703a110 |
| SHA1 | 2c094beed9d3c413dc80b7c5817e1d2b3f09948d |
| SHA256 | 9bf97367843d85019c03ccd3360f6acd7e5a3ea157b362fc89b46885591d6d97 |
| SHA512 | 2d5ffdd9a0943da25f1465531092563a5d47dbda9411de83c29204b59ed2d0b55686ce72cba101a211f087e0d197b8f7f8899a970944be9e8ed5a6543d9f4114 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0521599a7283a8f7024e1451a5aa901 |
| SHA1 | 9b50c16d87a24d60d78412e6a005df76ddacaaad |
| SHA256 | 28a0b41a24328b5b533efe00e9c4af554b42c06575a7194ff00f1a5e6e2fb7bd |
| SHA512 | a5dd3bfdcff8cbdbf4ddbc831bfb7558ac9583f0d3643f82e81cac5e65e3027b2945de5eabe57dfbc16f3c0aae1569c90ec8d1b3dad9836c3124818ed96017e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2080182e98cb27587463921c186e3505 |
| SHA1 | 76ffd7f12f3835d52b8afb3e2b888f338e4ff911 |
| SHA256 | d5571241386f84d85333cfc344a0fca138a6f9ae9c5531269df268b4e4a47bd4 |
| SHA512 | 63e9790ead61db395a15b0e6703e6cc149120e22b876f780849e0f1ac17cc91020bdae86e2f6431e652719a14caf0ae05efb32faf4981e68c82a39fd77e4d060 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 986716162818b352b1d7b52154630f01 |
| SHA1 | 8072689fd59595b106e6af4164eaf9d7e016a40e |
| SHA256 | 7d0beea3d10a0632cdaaebd2487d2e778b080b1c1931a53ceef59ee57b16d8c4 |
| SHA512 | 1e8a544cebcd62e443da4ab2054a1f3f18686545a593af8132791d9767131173fbc87ca007e9c628ddf3415ca058fbdf8a794645a63c0c15d86466cdc4cb839c |
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1004 wrote to memory of 2156 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\fontview.exe |
| PID 1004 wrote to memory of 2156 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\fontview.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf
C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-21 22:43
Reported
2024-05-21 22:46
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
104s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |