Malware Analysis Report

2025-05-05 21:25

Sample ID 240521-2ndcmscf92
Target Text20gif.zip
SHA256 be41a99f8f216166f65b45c5c21f1c06cd2970a9ce6d82f1315da347f4afe661
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be41a99f8f216166f65b45c5c21f1c06cd2970a9ce6d82f1315da347f4afe661

Threat Level: Shows suspicious behavior

The file Text20gif.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 22:43

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\create_gif.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe
PID 3300 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\create_gif.bat"

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe

gifski --fps 50 -o clip.gif frames/frame*.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 492f9437a655db4ea46bc2490f356297
SHA1 0e73ac28be2af6a2eb86ef17ecc4ec7c61ff1ee2
SHA256 8756bf642ea2456b68b6e7b50a223295bdf359a4340d5bb890e04315f2e7575b
SHA512 cb2fae2bd361853060187aa8db2ae96f25d4e49b4e92ff3d2fa1aa6dcc4700ba5a5e133dd888a6b5b30e1cb29b8983878927afa0c622ba29f10aa8b4d9b8f92b

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

103s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fontview.exe
PID 1100 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fontview.exe
PID 1100 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fontview.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240220-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22082\python38.dll

MD5 9e3ded73b6263b671a1d6c98256b721a
SHA1 814045f7a2be0ab7a8d34dc8156ba9ca06253ab9
SHA256 215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87
SHA512 8323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b

C:\Users\Admin\AppData\Local\Temp\_MEI22082\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI22082\base_library.zip

MD5 ef85fd90311ad1d32e5eb93e6195a2da
SHA1 34b356978571872f6ca3b7779ea9be265db65894
SHA256 50b2065fb651a5935816aca199e0dc8eeaaa73363428c83cdcdcb49da4940163
SHA512 03665836836bf5f1c29fd270628d86f8b6cb5bdb3d43eb36894853a40dfa533abe76c5c74466d3c636c8f9323c323f50725ea569bca8eee495f71fd1677248c3

C:\Users\Admin\AppData\Local\Temp\_MEI22082\_ctypes.pyd

MD5 9082abcff2c89a406e7eddc1a1d4afd9
SHA1 b114950c87dd1c544cf02704f5164a315993a716
SHA256 591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44
SHA512 3176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5

C:\Users\Admin\AppData\Local\Temp\_MEI22082\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI22082\_socket.pyd

MD5 458f0f0ed8d16019d7c2d157bddea94b
SHA1 d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57
SHA256 e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42
SHA512 00eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69

C:\Users\Admin\AppData\Local\Temp\_MEI22082\select.pyd

MD5 ac8caceeaa28137a14784563d126ed7e
SHA1 4dcbe48eaa53d5c7d91c420df823dbff54f4da5f
SHA256 8e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78
SHA512 b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12

C:\Users\Admin\AppData\Local\Temp\_MEI22082\_bz2.pyd

MD5 70a3a9e6d086a965bd164eb171f3f537
SHA1 a85dea115761d8a85ea08004fa65d975bbf37fdc
SHA256 5294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57
SHA512 447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0

C:\Users\Admin\AppData\Local\Temp\_MEI22082\_lzma.pyd

MD5 24919c42c43d9ef08d4e372c339d9e47
SHA1 4ed83cdab8830605a7bb75cb03a5764b8ee5c886
SHA256 d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f
SHA512 d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1

C:\Users\Admin\AppData\Local\Temp\_MEI22082\pyexpat.pyd

MD5 b9927b95ff204d9149b6ef7430e70220
SHA1 502e0311a32bd5ce2dea87ffce21ddbaf255b07f
SHA256 e383225fd8917977fe16f628f9bc9c9cfaf346feb3a90f1f0615dbfb64cc1496
SHA512 fc5e879dbce1585cf2726c7db480e81b7180276c8c537b43e33b74e47a0c6d7a292b9843cd60b45046d3dabc9b165891e3ac57b7bd39a391bfea1b9aae51fb30

C:\Users\Admin\AppData\Local\Temp\_MEI22082\_ssl.pyd

MD5 486431c1032139d202565800a0729a3b
SHA1 0c43a02f1ba3162033410926fe4b22fe79ed81f1
SHA256 3dce8bd61cc46761033cd1457c64fe66ff306ea77aadf5543834a9be3b50c074
SHA512 4906d70e76ee1dc308027662613b29872f1c97f3e6390c913f1bb456c7be172989f6d1c5671500c23e7d5d054281e10de8d822350aa5606b73d7518b7c4beabe

C:\Users\Admin\AppData\Local\Temp\_MEI22082\libcrypto-1_1.dll

MD5 bf83f8ad60cb9db462ce62c73208a30d
SHA1 f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512 ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

C:\Users\Admin\AppData\Local\Temp\_MEI22082\libssl-1_1.dll

MD5 fe1f3632af98e7b7a2799e3973ba03cf
SHA1 353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA256 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512 a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

C:\Users\Admin\AppData\Local\Temp\_MEI22082\_asyncio.pyd

MD5 8c28ec788e715e3ca5dc2dd42cf9d250
SHA1 16e1b4c324f6f2fa7a206b5fbdd652477756825a
SHA256 91a6cb5ff61c48cdfff369341aa7ad85cca7a3cd32e714f6e80187f7ee399d3b
SHA512 be67d56fc6c7b672467626a30ae56943e6a9f1fbcc66c9edef5a67935bf314c7f745e6029eade27c4acd525e38ffcda77e3f229a7a5f4ada35547d39f2955a00

\Users\Admin\AppData\Local\Temp\_MEI22082\_overlapped.pyd

MD5 3306d52d49aa0107495e138bf5f64694
SHA1 ddf8a31cde3e34fe2ba4f8ba57ab1f47a379046f
SHA256 3f3032201cc0e94e73d227f905a99cbf5c117b16fdd29eea210fe6cfdeed38d5
SHA512 6fe3d3ced390572cdc874752b095c7adb0b2c1a5251d614da47c8bfd20dce1fc1a32c7b775dceaca5633cbdf33b4e47941c95a8a3c80a1341debdd6882275f0d

C:\Users\Admin\AppData\Local\Temp\_MEI22082\PIL\_imaging.cp38-win_amd64.pyd

MD5 b684a867c543afa326e50f0baa1ecb6d
SHA1 4f20d3b8c647fc424bf61ea48a3d275838c99f3a
SHA256 44fd0c580d2ebbc7899f52fccae53c36cc89f502d593a8341007d21316350b26
SHA512 45883d15c042b2e85dd74cd61306d8dd0fae5084f8971164ea1a7716f095036ced0b892a946660e2b68603362186946f9cf2de04f95ae0d46994a01f86b95e18

C:\Users\Admin\AppData\Local\Temp\_MEI22082\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI22082\PIL\_imagingft.cp38-win_amd64.pyd

MD5 6447dc0adb8dafc7cfe790366ee0d6e5
SHA1 e69006d5cde6eae7132e1f639abf54107dd4afdd
SHA256 ea3cd8c3f3e6a1bd76eaf7abb1b3d329bf78b2bd0f716ef5fd47644c56c822d3
SHA512 8ca2b3ce7bee04b04f26121144c77407c37439ae3d3c590799ae7ce48171b71e97b662bd1f14e7ca7474d9a280a2cd365f428a1ccfca0cb205ab8228a2b039d5

\Users\Admin\AppData\Local\Temp\_MEI22082\MSVCP140.dll

MD5 6da7f4530edb350cf9d967d969ccecf8
SHA1 3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9
SHA256 9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da
SHA512 1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29722\python38.dll

MD5 9e3ded73b6263b671a1d6c98256b721a
SHA1 814045f7a2be0ab7a8d34dc8156ba9ca06253ab9
SHA256 215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87
SHA512 8323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b

C:\Users\Admin\AppData\Local\Temp\_MEI29722\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI29722\base_library.zip

MD5 ef85fd90311ad1d32e5eb93e6195a2da
SHA1 34b356978571872f6ca3b7779ea9be265db65894
SHA256 50b2065fb651a5935816aca199e0dc8eeaaa73363428c83cdcdcb49da4940163
SHA512 03665836836bf5f1c29fd270628d86f8b6cb5bdb3d43eb36894853a40dfa533abe76c5c74466d3c636c8f9323c323f50725ea569bca8eee495f71fd1677248c3

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_ctypes.pyd

MD5 9082abcff2c89a406e7eddc1a1d4afd9
SHA1 b114950c87dd1c544cf02704f5164a315993a716
SHA256 591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44
SHA512 3176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5

C:\Users\Admin\AppData\Local\Temp\_MEI29722\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_socket.pyd

MD5 458f0f0ed8d16019d7c2d157bddea94b
SHA1 d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57
SHA256 e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42
SHA512 00eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69

C:\Users\Admin\AppData\Local\Temp\_MEI29722\select.pyd

MD5 ac8caceeaa28137a14784563d126ed7e
SHA1 4dcbe48eaa53d5c7d91c420df823dbff54f4da5f
SHA256 8e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78
SHA512 b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_bz2.pyd

MD5 70a3a9e6d086a965bd164eb171f3f537
SHA1 a85dea115761d8a85ea08004fa65d975bbf37fdc
SHA256 5294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57
SHA512 447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_lzma.pyd

MD5 24919c42c43d9ef08d4e372c339d9e47
SHA1 4ed83cdab8830605a7bb75cb03a5764b8ee5c886
SHA256 d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f
SHA512 d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1

C:\Users\Admin\AppData\Local\Temp\_MEI29722\pyexpat.pyd

MD5 b9927b95ff204d9149b6ef7430e70220
SHA1 502e0311a32bd5ce2dea87ffce21ddbaf255b07f
SHA256 e383225fd8917977fe16f628f9bc9c9cfaf346feb3a90f1f0615dbfb64cc1496
SHA512 fc5e879dbce1585cf2726c7db480e81b7180276c8c537b43e33b74e47a0c6d7a292b9843cd60b45046d3dabc9b165891e3ac57b7bd39a391bfea1b9aae51fb30

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_ssl.pyd

MD5 486431c1032139d202565800a0729a3b
SHA1 0c43a02f1ba3162033410926fe4b22fe79ed81f1
SHA256 3dce8bd61cc46761033cd1457c64fe66ff306ea77aadf5543834a9be3b50c074
SHA512 4906d70e76ee1dc308027662613b29872f1c97f3e6390c913f1bb456c7be172989f6d1c5671500c23e7d5d054281e10de8d822350aa5606b73d7518b7c4beabe

C:\Users\Admin\AppData\Local\Temp\_MEI29722\libcrypto-1_1.dll

MD5 bf83f8ad60cb9db462ce62c73208a30d
SHA1 f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512 ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

C:\Users\Admin\AppData\Local\Temp\_MEI29722\libssl-1_1.dll

MD5 fe1f3632af98e7b7a2799e3973ba03cf
SHA1 353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA256 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512 a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_asyncio.pyd

MD5 8c28ec788e715e3ca5dc2dd42cf9d250
SHA1 16e1b4c324f6f2fa7a206b5fbdd652477756825a
SHA256 91a6cb5ff61c48cdfff369341aa7ad85cca7a3cd32e714f6e80187f7ee399d3b
SHA512 be67d56fc6c7b672467626a30ae56943e6a9f1fbcc66c9edef5a67935bf314c7f745e6029eade27c4acd525e38ffcda77e3f229a7a5f4ada35547d39f2955a00

C:\Users\Admin\AppData\Local\Temp\_MEI29722\_overlapped.pyd

MD5 3306d52d49aa0107495e138bf5f64694
SHA1 ddf8a31cde3e34fe2ba4f8ba57ab1f47a379046f
SHA256 3f3032201cc0e94e73d227f905a99cbf5c117b16fdd29eea210fe6cfdeed38d5
SHA512 6fe3d3ced390572cdc874752b095c7adb0b2c1a5251d614da47c8bfd20dce1fc1a32c7b775dceaca5633cbdf33b4e47941c95a8a3c80a1341debdd6882275f0d

C:\Users\Admin\AppData\Local\Temp\_MEI29722\PIL\_imaging.cp38-win_amd64.pyd

MD5 b684a867c543afa326e50f0baa1ecb6d
SHA1 4f20d3b8c647fc424bf61ea48a3d275838c99f3a
SHA256 44fd0c580d2ebbc7899f52fccae53c36cc89f502d593a8341007d21316350b26
SHA512 45883d15c042b2e85dd74cd61306d8dd0fae5084f8971164ea1a7716f095036ced0b892a946660e2b68603362186946f9cf2de04f95ae0d46994a01f86b95e18

C:\Users\Admin\AppData\Local\Temp\_MEI29722\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI29722\MSVCP140.dll

MD5 6da7f4530edb350cf9d967d969ccecf8
SHA1 3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9
SHA256 9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da
SHA512 1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

C:\Users\Admin\AppData\Local\Temp\_MEI29722\PIL\_imagingft.cp38-win_amd64.pyd

MD5 6447dc0adb8dafc7cfe790366ee0d6e5
SHA1 e69006d5cde6eae7132e1f639abf54107dd4afdd
SHA256 ea3cd8c3f3e6a1bd76eaf7abb1b3d329bf78b2bd0f716ef5fd47644c56c822d3
SHA512 8ca2b3ce7bee04b04f26121144c77407c37439ae3d3c590799ae7ce48171b71e97b662bd1f14e7ca7474d9a280a2cd365f428a1ccfca0cb205ab8228a2b039d5

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 84672eb992c1fc61776d86ba0fda0ede
SHA1 fb49f9fc39db120d2df3322330bf5b184e5ea699
SHA256 799c2ae7f4746573dd3b1e4aa829d466ee37e859e3271706f9c956ec9d20d17d
SHA512 34a3399c8841e423f101c3d81752f87121092ab0b8ec42fcc6aae603897e60198579357b9926741a39214a05063ec26447c9e9d1ce6646951d49999297d35de2

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\text_to_gif.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

109s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bane2.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bane2.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\create_gif.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\create_gif.bat"

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe

gifski --fps 50 -o clip.gif frames/frame*.png

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe

"C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\gifski.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\logo.gif

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd951702000000000200000000001066000000010000200000003b1894c90f940c2e6085136b67b1ace26e1d1455923873a90470c34c7d29c65b000000000e8000000002000020000000d2b188d07a3f0988316f0b40de648c91c6bc0b4e24d3ecad46cd480fd34758422000000022086a3237a60a3337cb26f552235df84b7fa4cbbfb9724cae219aa387ccb27140000000cb5f61bfee70ff998a137b6ba72625eabdce3ae99923bc22b1b8ea7069e48f1b60940efdbd0f83219f36454e1779405554c631463e612c1684ffea4e7cc9bac9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0ee987ed0abda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2021142433" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108048" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108048" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A282DDA3-17C3-11EF-B9F7-5E2396FD2BC6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd9517020000000002000000000010660000000100002000000045f3438767d6d46072d1b455cd16f8b480301b594ca1a6886232f7877e29778c000000000e8000000002000020000000044db04f57c61378a76f63f3fb389031239f58c1b6bb308238d53b7370cc8b0b20000000659659d172f47c2732c3609c0927b402d24ce15bd52e31bb70bb4b495d42b1bd400000000824dafc5a9b8bf598a08e46b48726d6539b56384d47e3c5e134619975a567216c10f0a1fe91552d4e658093babac11d6de7ba3bea02b4b4efe16cdede035c8c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09bb17dd0abda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108048" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423096433" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2021142433" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2070986227" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\logo.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5196 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 78207b82cd88741596bfbe35667bef0c
SHA1 d2aa9f014d12219d074f7b4c92efebbf8e615791
SHA256 55b97539e3725b2fd6fdbb103e48b51e8cc3b4dd33e3e3c5d74bdfd54e48d01d
SHA512 2b7a26550c51d8bf6eceafcf1ca47f2f02f02700b13ac2684442592b5a774f9a667227ac9865387234c556fd24de20239edd1b2e9085025840ecbc844a480083

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 1df8c673305a1cc5256117813d43cfc2
SHA1 c884e950c1414c10d908ef09026038be70fe3852
SHA256 aa854bda9c1ec2a0482b866d9986b7315261c54dc8e98e22d19a509adb43dd42
SHA512 97bfaf072088ee1f60ad59005c624a216f3dd2e3018ad265371153bf347d3fa328da258c2df893dfb54fc48a5b9c8cb1cd35b62bc5b2e92a6721f6d56e1c87da

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\temp-frames\readme.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 78b9b98104c4c026876410fb28187d09
SHA1 41a492e60e9ab150d7d57c72252854d249d1ac12
SHA256 485a5bab18d8082ca3cad932145ce0f0176b107ced9c562db500fbbab7c4e717
SHA512 c6035b0077d72de1f154c56a23185fcd1d07bd90088ae652e7929bdd15e420b93f58be768328c6d2bcbb953d04274adb93c578831b4ee32f1715d670ab622c54

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240508-en

Max time kernel

118s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\text_to_gif.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e150025d503eff9f672c2b41b1d538a3
SHA1 12ac612cb01cabd79a09a2a9d26c48cf3938e74e
SHA256 54f2b84cc035b358bd6fb1287ee007ff8d033970d8f5f56a67d759b8dfc6f91e
SHA512 56b25f26f16cfdd5fd369bbd9020edd65004eb6477f49baadb6fad439088e132d5c423998a7341b379b7e6404bcba799643b7a22f1e11e14a2ce07945a3375d3

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240215-en

Max time kernel

121s

Max time network

127s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bane2.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bane2.png

Network

N/A

Files

memory/3012-0-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/3012-1-0x0000000001D70000-0x0000000001D71000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\frames\readme.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 486ed627bef78a833cc102aa89f4d97e
SHA1 9eb4fffa01776c681614e2054a933dab4c7d5b29
SHA256 3ea7ba863b024f5bf57055da05e8d3c194cf06b83a3eb611d48ccdadfcfaa000
SHA512 548f670339aee22c1d35a3984b28abd325d07327d526d5bcce61abf0ae682f28ee420c74845da35ad2625cc9f2d09c17d8be37acd8ba725182cfe6b16c529906

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win7-20240419-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\logo.gif

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ae9073d0abda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000e544795a3d12ac216594bac58eda5b3c17f8cefa03b1e0a6504e5bff9720ed6e000000000e800000000200002000000047ce3075877ffc54e296756114defa773a1a046e6f11c4dac97f43f3f978903f900000008226d1802d6dbc62c5691cbc9301c0ef995ad90fdd53a17a5a06891bc28128b50cd2ef5e13bec31c42a7e60527cfc9c3c80018afcf9396bdc900e96248fdf35a81ecc98975697bc80a13632d626a9a0e83f504905a20327d07d2aba275ec8e6f79c215b7750f0551b7b28a7caef7ac991be4847b4ae06cc04dcb64f3eb6ff1e5f6bd08f059045b49266a9a993ec5b6d1400000003c3cf1fd07a77316cb237eb04d285f1c7810067d8456e867379c3fc7c57c6ac2866e830401cd362407662db803ec06b1938a68766728eb279060406912571384 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9EF16341-17C3-11EF-97A3-C6E8F1D2B27D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000022e568a2856f7bfd506551df52074442a8abcceae52e1289f404dfc807d6943e000000000e8000000002000020000000cebbd14a946d5a11477e2b7d75f26d6867cafe0d5af55425474c39af464cca9320000000cf7343e6d109dbeb3fe195e87b140cd2ad7cc785d060c30309ed032bbea8a39b40000000c134e9ef4350282ec85ff219b113d558402e4abde93ded8e921e77805d1ec6e27b70c8d3229b2ddc3b721747de2ef5e4faf68abb71634708c639df9a090019c2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422493309" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\logo.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3046.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar30B7.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27d9d4ac76bf9ea0735aa2f122bcf709
SHA1 caa61cdb6f6e3ebb9672f4b0c8b2cef104f239a2
SHA256 fa98d87e160fc88077add606e59becd52ce98f54c642b8b2b1bc510f3dd76e00
SHA512 24db14762d9f6c2732d9d82484ec49d76811a10cb7bce6417e55b774dd57647f70e0f5fdf939b0492c49ffca036701b5cda0c7d3a3a7934e189a209116b77ee2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68274d906bab4148c96956336983f949
SHA1 58d4f0915eb371380d4facf2d7c74c8a3fb7a81b
SHA256 71d1ee2b737ee89cbdc7e805d37bb166a6a30ed754cddee0b1ed97a4c649ff65
SHA512 6f6d8a89aed16a0e83bfe51d5577fad2922825afa62373646e2dae0a4e7688dc6202c77d9a62d5aaa94bb8b0969a025c94bb91e1aa8fc28e7ec3f0afbba6448e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f84eba26d85650b502ccc2acff4f20cb
SHA1 7494f639ac5595e2b97f4af123df6b49de620dd2
SHA256 d46bc26741f6b6d02bd491ad0ebf62ac85737fdbaabdb285bb21a6f28d7423f3
SHA512 e235ebaf620ecc42b849dad5d8a3b3ccb06493d60c8f452fe477e07400999a8fad3c693614d738bb7a9b1d68271a5b2fe7bdd0fe01726ab63350b5829dbf3234

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 498c10c9e8d5e2b36b295df41870fb9a
SHA1 b2b606af0da02de60e8678d1969716d4f18d5108
SHA256 9e06b8b0dc3165f2d3cefbb34e341880985a24e15a149dfab400fe23f9af2596
SHA512 7216a3c2c415284a30edb982d5d00c03dfe66d27f7b9ea8d3f4e0d6184d21e9d6b29c50cca9ca80758799299b1b2daa8ac2c00c01f4359642ab07001f040e395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c30acc56552450fce56acaef99f76cac
SHA1 8e7e1aa5e003ba6ab8b33f9505535d8964dba87b
SHA256 810eda05c415ab1477bfb24825b533192766fb88428e727f2a85bb07385adb6c
SHA512 5931123de665196e90a3fd926c87b9f94dcd9c2fbf6732d72dd9804cb7260348bff86b10065879f3f162765e777567bc5c144f0a924349d756fba999d8a917f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 621dce0ab501a551fbe6d75374c03376
SHA1 b32930cc82013dd9d3913b2ca1b49c837aaa2faa
SHA256 79f2570929a5b1155f6c1ffdb5ff2e40bafd4c911e74322b3825e211f1298d71
SHA512 eb42470c95108ab4166c6f359502ab93ec31f5ecc97fb9c9cb5684c6dc2d278be8147dc163c11858224fbda0e549588ea7c947f7a3553e1fa60ded42788159e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fbeedce04feef196f6945afff8a7b71
SHA1 51f35af009d2d9f1c149957d4b12cd24e008b92c
SHA256 27d5ecfb9543a55609eb046ada889613595595b2279a543c22bf1f9d22378490
SHA512 707587289351025386ff4a16d653dd4014abce4fb8f55d078b511edb5a777add3e3ec3dbedb26b99849b410aba99e5971c40d22a78925b51cc88a377cc5bcb5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0132aa8db7dd434a62de57d08e00efc4
SHA1 3296c301ec83d3c20a34f7fa1aa68df0a1ee911b
SHA256 d4cc683e8f885fd032e2c6aeb8b394cc42ad539b67b5104a56c62e815cf0583b
SHA512 ab8431dde7bd7d90898f2e30a1a4191601100aafcc383372523f0d6dcbb2394885d5d4ba3dc63cd9624084fa4c1f63a6dc5a08f7f164d150603efb3b4f5377da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b90c20d1fced91ffeff59c9a9fd827c3
SHA1 52073b06ab4d3aaafe41f2fa2ec4ff2520aae3a9
SHA256 ad67c0704b3e76a73da85c7825f1ea1af8d51fc82e975553bece21d9be6903a0
SHA512 be16a93a29dd883a3fa6eeb6c7e78a1fe08ec1ec3b43bf3c6a0c43946e7141483f728d4a5759503d426e44c754dbfa3df46cdcacdf642d5460758fa75b37609c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 870cf68fed589c8c1944ee277912c032
SHA1 01b17fa91a948adf15e69b821c37ae12607c68b5
SHA256 55cb3fb0703772cc334c2df0492115c0ce159a4eef67779fe8f0037c3cd93f8c
SHA512 b239c01e5ebadf6ace617a8d328784cc0865a1d1199bb16f298857619a29390cfaab5cadd52756cabdf70fd9f16589ca1c37967531fb8ac06b7b30a3c8dd3cda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a04c1db6666efcdc35aef73157cae15c
SHA1 83f69ed1d4e20c1e0bf0f7a65107f90e9e520166
SHA256 c3d4d2fe7c2fb11f5e9a0892001f87c22deb1dba2226a5fa8e634111d7ec11ff
SHA512 b1b99cdbab35a0327bce5a530e1619d60c73b92620c3e84aae2fceca364c993a33cd4d7ec9c42b7051b4f36182d1e8c0a84126369000301356cb32a4ae96f2b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7afd0cd83fa556df230652485f3d082a
SHA1 e99ffa293fa977aaadd582c26146ff9bff5e4819
SHA256 5bd47be35f6fc0380ed45c000138e083c429e58608b2f39937180c601b482659
SHA512 df032e6087707211f796f9ccc6d72b182976d04c5e62e8efa34577f40eeb6e097d856e49d6d3f256ca49d2b0da55a36a18945c2fbd8a2c4af42bcf6e96ec802b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f30dcbf695e7208056092e55852a127
SHA1 a5b92fbfc756cf21291ca11df771df6e9f26114a
SHA256 52afb61432d0812e4ad617bd398276ba2c1ada97e2900b1eb22fc612bb26577f
SHA512 0490672ca57eb4263578de3f8eaabba59c9305d7d082a28ec53d58d96a5abe4fa282c1b428ef7b20969044165b236ead3ae42738e60c459298ad82ce1249b99a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1894e5f505047fbedd065275ffea5f2
SHA1 dc7c651bb5acaa7e0ac87289a913601eeabc7950
SHA256 f73af967ce7c0f50c5b624e25805bcafebae79f73823f31f6d6e6d6d86996018
SHA512 4c1ef7a63d7851e0972b556012712e09d02dc4179830f5b734b32804aab0ca2fd709a7984bf89d7886fb7ae25da5af0bfbad933f3c96449e6c88a6c9bd40a673

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95026272644781c9badbd40782373c79
SHA1 5b42053939704c877ce32e465e5d8742401de4d7
SHA256 944830e7076a0cf4051e4fc2ddea232f2e5e491d255533365f65ae15fc138a35
SHA512 cd36d9befec7eee352ab868cff95624c40c75781e937952e4458bdebe0dbb466c9f49b84157ea97f1135266204ae902096a67eb1cbfbf121562d6c673e64c635

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b85f819497411bfd7f6f9b46c703a110
SHA1 2c094beed9d3c413dc80b7c5817e1d2b3f09948d
SHA256 9bf97367843d85019c03ccd3360f6acd7e5a3ea157b362fc89b46885591d6d97
SHA512 2d5ffdd9a0943da25f1465531092563a5d47dbda9411de83c29204b59ed2d0b55686ce72cba101a211f087e0d197b8f7f8899a970944be9e8ed5a6543d9f4114

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0521599a7283a8f7024e1451a5aa901
SHA1 9b50c16d87a24d60d78412e6a005df76ddacaaad
SHA256 28a0b41a24328b5b533efe00e9c4af554b42c06575a7194ff00f1a5e6e2fb7bd
SHA512 a5dd3bfdcff8cbdbf4ddbc831bfb7558ac9583f0d3643f82e81cac5e65e3027b2945de5eabe57dfbc16f3c0aae1569c90ec8d1b3dad9836c3124818ed96017e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2080182e98cb27587463921c186e3505
SHA1 76ffd7f12f3835d52b8afb3e2b888f338e4ff911
SHA256 d5571241386f84d85333cfc344a0fca138a6f9ae9c5531269df268b4e4a47bd4
SHA512 63e9790ead61db395a15b0e6703e6cc149120e22b876f780849e0f1ac17cc91020bdae86e2f6431e652719a14caf0ae05efb32faf4981e68c82a39fd77e4d060

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 986716162818b352b1d7b52154630f01
SHA1 8072689fd59595b106e6af4164eaf9d7e016a40e
SHA256 7d0beea3d10a0632cdaaebd2487d2e778b080b1c1931a53ceef59ee57b16d8c4
SHA512 1e8a544cebcd62e443da4ab2054a1f3f18686545a593af8132791d9767131173fbc87ca007e9c628ddf3415ca058fbdf8a794645a63c0c15d86466cdc4cb839c

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fontview.exe
PID 1004 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\fontview.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\primordial.ttf

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-21 22:43

Reported

2024-05-21 22:46

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

104s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Text%20on%20gif\readme.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A