Malware Analysis Report

2025-05-05 21:25

Sample ID 240521-vqbhhacf7t
Target Good_Hits_Parser.exe
SHA256 8e27c0148a54e406f3078db8fb26e427f466b1dd3443000fc8f81b756a1550c0
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8e27c0148a54e406f3078db8fb26e427f466b1dd3443000fc8f81b756a1550c0

Threat Level: Shows suspicious behavior

The file Good_Hits_Parser.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Drops startup file

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Volume Shadow Copy WMI provider

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer Phishing Filter

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 17:11

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-21 17:11

Reported

2024-05-21 17:14

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clipper.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clipper.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 17:11

Reported

2024-05-21 17:14

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe C:\Windows\system32\cmd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe

"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"

C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe

"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26762\python38.dll

MD5 9e3ded73b6263b671a1d6c98256b721a
SHA1 814045f7a2be0ab7a8d34dc8156ba9ca06253ab9
SHA256 215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87
SHA512 8323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b

C:\Users\Admin\AppData\Local\Temp\_MEI26762\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI26762\base_library.zip

MD5 bbce7d385200a3ffb1f829b97c6cb954
SHA1 e5f93ab3c9738ade92b2a5df7d15e4476cd567d8
SHA256 e9b2832e35d7d58f9bdd30fd5540ac2a167aa5f10938aa1d15c57e2810dc5ce9
SHA512 6fadf644c93504ba7647c986e61c76badec777db0b987d6653221b7b56f06b6855c671c78ac5edff518960e277f2f0e674de9751e7177b3898085ed0a4709ecd

C:\Users\Admin\AppData\Local\Temp\_MEI26762\_ctypes.pyd

MD5 9082abcff2c89a406e7eddc1a1d4afd9
SHA1 b114950c87dd1c544cf02704f5164a315993a716
SHA256 591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44
SHA512 3176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5

C:\Users\Admin\AppData\Local\Temp\_MEI26762\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI26762\_bz2.pyd

MD5 70a3a9e6d086a965bd164eb171f3f537
SHA1 a85dea115761d8a85ea08004fa65d975bbf37fdc
SHA256 5294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57
SHA512 447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0

C:\Users\Admin\AppData\Local\Temp\_MEI26762\_lzma.pyd

MD5 24919c42c43d9ef08d4e372c339d9e47
SHA1 4ed83cdab8830605a7bb75cb03a5764b8ee5c886
SHA256 d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f
SHA512 d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1

C:\Users\Admin\AppData\Local\Temp\_MEI26762\win32api.pyd

MD5 64fec318efd64fa98ea427a70c02c808
SHA1 f6e9ba6a4ce4d300f63004aee6ca967363cc68a1
SHA256 e000f1d7dd22a0a6e87160c633fdd5e35ce8e1e367d612a870f4428ab84af10a
SHA512 6f6daff5f9be46ba1bd312d8be2bb9a5be1fda9f4d1603f528286290b907c5ff6e21939e62e3f101b30bb173519e39d0e00c5157c89093c52ab036d95ee9a758

C:\Users\Admin\AppData\Local\Temp\_MEI26762\pywintypes38.dll

MD5 4bfa43585ad0f9b7ac5858cf2c0b4963
SHA1 f3e34e2d5748bdc1f49cc665342ee66662919873
SHA256 455682c2212474ae895bfb931ffd7d1d15993451bdbe65ace820c9e747ca3490
SHA512 d2346b871f06adfcb115a97e2b04be3d49f16bf2e92eab303e9eabd562e50f95307c8ea7a2f0541579224648fb3938a58d1c31e2248a5c6fcbc5d359d6864cc8

C:\Users\Admin\AppData\Local\Temp\_MEI26762\pythoncom38.dll

MD5 eaafa2b6768a7d23494b95e897a56ca4
SHA1 c4dc648ead5ae0c45abd1a22db76a3aef4469337
SHA256 c238f7991cc7a0e2a707d2dd59b800951ea92ec15c3e6c2b1e0229adb8cec1a1
SHA512 aa4edb0d8194ae0069d3938cdfef14e91adaee0a746713a7f39d5169fa298727014c7995a00ef2bc0cd77e6a25ed5fb415cac3f0add2dd04ac90be29059a0e31

C:\Users\Admin\AppData\Local\Temp\_MEI26762\_socket.pyd

MD5 458f0f0ed8d16019d7c2d157bddea94b
SHA1 d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57
SHA256 e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42
SHA512 00eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69

C:\Users\Admin\AppData\Local\Temp\_MEI26762\_pytransform.dll

MD5 95c20648ce0e148bd37f50f17a644b85
SHA1 eeab8f64d983cc868660a7a249257ab9839d3d1e
SHA256 1c1bf407c0bc7270f7bee57ae3c7f5a37a837f940ba7aca9561ab88e5678d7b5
SHA512 32f8e2c77cc7015bd4f5b79a52dd540e1e1cbb40824857e95e1e9575979a225aff6bbcd69fa2fdd515c42256f5d241c04c89e8b8debb84aa8995c8404d918ad5

\Users\Admin\AppData\Local\Temp\_MEI26762\select.pyd

MD5 ac8caceeaa28137a14784563d126ed7e
SHA1 4dcbe48eaa53d5c7d91c420df823dbff54f4da5f
SHA256 8e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78
SHA512 b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12

memory/2424-131-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-175-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-173-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-171-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-169-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-167-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-165-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-163-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-161-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-159-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-157-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-155-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-153-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-151-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-149-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-147-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-145-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-143-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-141-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-139-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-137-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-135-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-133-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-129-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-127-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-125-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-123-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-121-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-119-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-117-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-115-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-113-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2424-112-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI26762\win32file.pyd

MD5 251b0d5fa4148895cbbc1228b4af81f8
SHA1 1de857df0012898449ed96d49660d36843512b9a
SHA256 0178f47c605bdc97d77b7ebee70231a2520a085203b6a6e30aa2a11853eb2f07
SHA512 c2d6dcdc67771cc6d102537b3e246e8c6e5f401a473e843279425f7af5bb8be425197ec0568acb5bff0b6ea9671bb0584af88da1f1a9ae72df10db1c40e94cd4

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 17:11

Reported

2024-05-21 17:14

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe C:\Windows\system32\cmd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe

"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"

C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe

"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22962\python38.dll

MD5 9e3ded73b6263b671a1d6c98256b721a
SHA1 814045f7a2be0ab7a8d34dc8156ba9ca06253ab9
SHA256 215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87
SHA512 8323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b

C:\Users\Admin\AppData\Local\Temp\_MEI22962\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI22962\base_library.zip

MD5 bbce7d385200a3ffb1f829b97c6cb954
SHA1 e5f93ab3c9738ade92b2a5df7d15e4476cd567d8
SHA256 e9b2832e35d7d58f9bdd30fd5540ac2a167aa5f10938aa1d15c57e2810dc5ce9
SHA512 6fadf644c93504ba7647c986e61c76badec777db0b987d6653221b7b56f06b6855c671c78ac5edff518960e277f2f0e674de9751e7177b3898085ed0a4709ecd

C:\Users\Admin\AppData\Local\Temp\_MEI22962\_ctypes.pyd

MD5 9082abcff2c89a406e7eddc1a1d4afd9
SHA1 b114950c87dd1c544cf02704f5164a315993a716
SHA256 591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44
SHA512 3176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5

C:\Users\Admin\AppData\Local\Temp\_MEI22962\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI22962\_bz2.pyd

MD5 70a3a9e6d086a965bd164eb171f3f537
SHA1 a85dea115761d8a85ea08004fa65d975bbf37fdc
SHA256 5294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57
SHA512 447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0

C:\Users\Admin\AppData\Local\Temp\_MEI22962\_lzma.pyd

MD5 24919c42c43d9ef08d4e372c339d9e47
SHA1 4ed83cdab8830605a7bb75cb03a5764b8ee5c886
SHA256 d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f
SHA512 d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1

C:\Users\Admin\AppData\Local\Temp\_MEI22962\pywintypes38.dll

MD5 4bfa43585ad0f9b7ac5858cf2c0b4963
SHA1 f3e34e2d5748bdc1f49cc665342ee66662919873
SHA256 455682c2212474ae895bfb931ffd7d1d15993451bdbe65ace820c9e747ca3490
SHA512 d2346b871f06adfcb115a97e2b04be3d49f16bf2e92eab303e9eabd562e50f95307c8ea7a2f0541579224648fb3938a58d1c31e2248a5c6fcbc5d359d6864cc8

C:\Users\Admin\AppData\Local\Temp\_MEI22962\pythoncom38.dll

MD5 eaafa2b6768a7d23494b95e897a56ca4
SHA1 c4dc648ead5ae0c45abd1a22db76a3aef4469337
SHA256 c238f7991cc7a0e2a707d2dd59b800951ea92ec15c3e6c2b1e0229adb8cec1a1
SHA512 aa4edb0d8194ae0069d3938cdfef14e91adaee0a746713a7f39d5169fa298727014c7995a00ef2bc0cd77e6a25ed5fb415cac3f0add2dd04ac90be29059a0e31

C:\Users\Admin\AppData\Local\Temp\_MEI22962\_socket.pyd

MD5 458f0f0ed8d16019d7c2d157bddea94b
SHA1 d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57
SHA256 e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42
SHA512 00eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69

memory/4148-143-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-175-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-173-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-171-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22962\win32file.pyd

MD5 251b0d5fa4148895cbbc1228b4af81f8
SHA1 1de857df0012898449ed96d49660d36843512b9a
SHA256 0178f47c605bdc97d77b7ebee70231a2520a085203b6a6e30aa2a11853eb2f07
SHA512 c2d6dcdc67771cc6d102537b3e246e8c6e5f401a473e843279425f7af5bb8be425197ec0568acb5bff0b6ea9671bb0584af88da1f1a9ae72df10db1c40e94cd4

memory/4148-169-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-167-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-165-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-163-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-161-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-159-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-157-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-155-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-153-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-151-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-149-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-147-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-145-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-141-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-139-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-137-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-135-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-133-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-131-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-129-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-127-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-125-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-123-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-121-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-119-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-117-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-115-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-113-0x0000022E91C30000-0x0000022E91C31000-memory.dmp

memory/4148-112-0x0000022E91A10000-0x0000022E91A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI22962\_pytransform.dll

MD5 95c20648ce0e148bd37f50f17a644b85
SHA1 eeab8f64d983cc868660a7a249257ab9839d3d1e
SHA256 1c1bf407c0bc7270f7bee57ae3c7f5a37a837f940ba7aca9561ab88e5678d7b5
SHA512 32f8e2c77cc7015bd4f5b79a52dd540e1e1cbb40824857e95e1e9575979a225aff6bbcd69fa2fdd515c42256f5d241c04c89e8b8debb84aa8995c8404d918ad5

C:\Users\Admin\AppData\Local\Temp\_MEI22962\select.pyd

MD5 ac8caceeaa28137a14784563d126ed7e
SHA1 4dcbe48eaa53d5c7d91c420df823dbff54f4da5f
SHA256 8e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78
SHA512 b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12

C:\Users\Admin\AppData\Local\Temp\_MEI22962\win32api.pyd

MD5 64fec318efd64fa98ea427a70c02c808
SHA1 f6e9ba6a4ce4d300f63004aee6ca967363cc68a1
SHA256 e000f1d7dd22a0a6e87160c633fdd5e35ce8e1e367d612a870f4428ab84af10a
SHA512 6f6daff5f9be46ba1bd312d8be2bb9a5be1fda9f4d1603f528286290b907c5ff6e21939e62e3f101b30bb173519e39d0e00c5157c89093c52ab036d95ee9a758

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe

MD5 9fb44d65c246d1ab437097a93a3f60d4
SHA1 60b85de037daa52d84a78f9b0efb9333cab97a88
SHA256 8e27c0148a54e406f3078db8fb26e427f466b1dd3443000fc8f81b756a1550c0
SHA512 b3276bfdcb852a0b268c0d53ea467561da3e9dcb4768510f28e57ee3dbbb1156e29dfc2b601d33d8f4f070c8ca4299fcde70ca9986addf37d7c710a786197c70

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 17:11

Reported

2024-05-21 17:14

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clipper.pyc

Signatures

Enumerates physical storage devices

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 705191f6a1abda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{340259F1-1795-11EF-919D-C273E1627A77} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\open\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\open\CommandId = "IE.File" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\open C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2316 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2316 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3056 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clipper.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\clipper.pyc

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\clipper.pyc

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\clipper.pyc

Network

Files

N/A