Analysis Overview
SHA256
a73f85cffbfb17fcd05be567ebafc30b91d5ff2270f964f95f7b8dfce61f1b78
Threat Level: Likely malicious
The file 85.zip was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Modifies Internet Explorer settings
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 14:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\141\141.exe
"C:\Users\Admin\AppData\Local\Temp\141\141.exe"
C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe" -version
C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\141\141.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
Files
memory/2760-2-0x0000000002620000-0x0000000002648000-memory.dmp
memory/2760-9-0x0000000002668000-0x0000000002670000-memory.dmp
memory/2760-12-0x0000000002670000-0x0000000002678000-memory.dmp
memory/2760-26-0x00000000026B8000-0x00000000026C0000-memory.dmp
memory/2760-28-0x00000000026C0000-0x00000000026C8000-memory.dmp
memory/2760-29-0x0000000002660000-0x0000000002668000-memory.dmp
memory/2760-27-0x0000000002658000-0x0000000002660000-memory.dmp
memory/2760-33-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1096-39-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2760-38-0x00000000026C0000-0x00000000026C8000-memory.dmp
memory/2760-37-0x00000000026B8000-0x00000000026C0000-memory.dmp
memory/2760-36-0x0000000002670000-0x0000000002678000-memory.dmp
memory/2760-35-0x0000000002668000-0x0000000002670000-memory.dmp
memory/2760-34-0x0000000002620000-0x0000000002648000-memory.dmp
memory/2656-45-0x00000000027A0000-0x00000000027C8000-memory.dmp
memory/2656-49-0x00000000027E8000-0x00000000027F0000-memory.dmp
memory/2656-52-0x00000000027F0000-0x00000000027F8000-memory.dmp
memory/2656-72-0x00000000027D8000-0x00000000027E0000-memory.dmp
memory/2656-71-0x00000000027E0000-0x00000000027E8000-memory.dmp
memory/2656-70-0x0000000002840000-0x0000000002848000-memory.dmp
memory/2656-69-0x0000000002838000-0x0000000002840000-memory.dmp
C:\Users\Admin\.oracle_jre_usage\494c6a9a065ca8e1.timestamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2656-74-0x0000000002848000-0x0000000002850000-memory.dmp
memory/2656-76-0x0000000002850000-0x0000000002858000-memory.dmp
memory/2656-79-0x0000000002858000-0x0000000002860000-memory.dmp
memory/2656-80-0x0000000002860000-0x0000000002868000-memory.dmp
memory/2656-81-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2656-83-0x0000000002868000-0x0000000002870000-memory.dmp
memory/2656-87-0x00000000027A0000-0x00000000027C8000-memory.dmp
memory/2656-88-0x0000000002870000-0x0000000002878000-memory.dmp
memory/2656-91-0x0000000002878000-0x0000000002880000-memory.dmp
memory/2656-90-0x00000000027E8000-0x00000000027F0000-memory.dmp
memory/2656-96-0x0000000002880000-0x0000000002888000-memory.dmp
memory/2656-95-0x0000000002838000-0x0000000002840000-memory.dmp
memory/2656-94-0x00000000027F0000-0x00000000027F8000-memory.dmp
memory/2656-99-0x0000000002840000-0x0000000002848000-memory.dmp
memory/2656-100-0x0000000002888000-0x0000000002890000-memory.dmp
memory/2656-103-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2656-102-0x00000000027D8000-0x00000000027E0000-memory.dmp
memory/2656-107-0x0000000002898000-0x00000000028A0000-memory.dmp
memory/2656-106-0x0000000002848000-0x0000000002850000-memory.dmp
memory/2656-113-0x00000000028A0000-0x00000000028A8000-memory.dmp
memory/2656-112-0x0000000002850000-0x0000000002858000-memory.dmp
memory/2656-134-0x00000000028A0000-0x00000000028A8000-memory.dmp
memory/2656-133-0x0000000002898000-0x00000000028A0000-memory.dmp
memory/2656-132-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2656-131-0x0000000002888000-0x0000000002890000-memory.dmp
memory/2656-130-0x0000000002880000-0x0000000002888000-memory.dmp
memory/2656-129-0x0000000002878000-0x0000000002880000-memory.dmp
memory/2656-128-0x0000000002870000-0x0000000002878000-memory.dmp
memory/2656-127-0x0000000002868000-0x0000000002870000-memory.dmp
memory/2656-126-0x0000000002860000-0x0000000002868000-memory.dmp
memory/2656-125-0x0000000002858000-0x0000000002860000-memory.dmp
memory/2656-124-0x0000000002850000-0x0000000002858000-memory.dmp
memory/2656-123-0x0000000002848000-0x0000000002850000-memory.dmp
memory/2656-122-0x0000000002838000-0x0000000002840000-memory.dmp
memory/2656-121-0x0000000002840000-0x0000000002848000-memory.dmp
memory/2656-120-0x00000000027D8000-0x00000000027E0000-memory.dmp
memory/2656-119-0x00000000027F0000-0x00000000027F8000-memory.dmp
memory/2656-118-0x00000000027E8000-0x00000000027F0000-memory.dmp
memory/1344-135-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1344-136-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240508-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\141\Addons\README.txt
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240611-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\141\Addons\lib\deploy.jar
Network
Files
memory/2596-2-0x00000000026C0000-0x0000000002930000-memory.dmp
memory/2596-10-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2596-11-0x00000000026C0000-0x0000000002930000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\141\141.exe
"C:\Users\Admin\AppData\Local\Temp\141\141.exe"
C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe" -version
C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\141\Addons\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\141\141.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 194.147.35.251:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| RU | 194.147.35.251:80 | tcp | |
| RU | 194.147.35.251:80 | tcp | |
| RU | 194.147.35.251:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
Files
memory/2612-5-0x0000000002F70000-0x0000000002F98000-memory.dmp
memory/2612-9-0x0000000002FB8000-0x0000000002FC0000-memory.dmp
memory/2612-12-0x0000000002FC0000-0x0000000002FC8000-memory.dmp
memory/2612-28-0x00000000016D0000-0x00000000016D1000-memory.dmp
memory/2612-33-0x0000000002FB0000-0x0000000002FB8000-memory.dmp
memory/2612-31-0x0000000002FA8000-0x0000000002FB0000-memory.dmp
memory/2612-30-0x0000000003010000-0x0000000003018000-memory.dmp
memory/2612-32-0x0000000003008000-0x0000000003010000-memory.dmp
memory/2612-36-0x0000000002FC0000-0x0000000002FC8000-memory.dmp
memory/1352-37-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2612-35-0x0000000002FB8000-0x0000000002FC0000-memory.dmp
memory/2612-34-0x0000000002F70000-0x0000000002F98000-memory.dmp
memory/3024-45-0x00000000030E0000-0x0000000003108000-memory.dmp
memory/3024-48-0x0000000003128000-0x0000000003130000-memory.dmp
memory/3024-50-0x0000000003130000-0x0000000003138000-memory.dmp
C:\Users\Admin\.oracle_jre_usage\494c6a9a065ca8e1.timestamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3024-70-0x0000000003120000-0x0000000003128000-memory.dmp
memory/3024-69-0x0000000003180000-0x0000000003188000-memory.dmp
memory/3024-68-0x0000000003118000-0x0000000003120000-memory.dmp
memory/3024-67-0x0000000003178000-0x0000000003180000-memory.dmp
memory/3024-74-0x0000000003190000-0x0000000003198000-memory.dmp
memory/3024-73-0x0000000003188000-0x0000000003190000-memory.dmp
memory/3024-77-0x0000000003198000-0x00000000031A0000-memory.dmp
memory/3024-78-0x00000000031A0000-0x00000000031A8000-memory.dmp
memory/3024-79-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/3024-81-0x00000000031A8000-0x00000000031B0000-memory.dmp
memory/3024-85-0x00000000031B0000-0x00000000031B8000-memory.dmp
memory/3024-87-0x00000000031B8000-0x00000000031C0000-memory.dmp
memory/3024-91-0x00000000031C0000-0x00000000031C8000-memory.dmp
memory/3024-90-0x00000000030E0000-0x0000000003108000-memory.dmp
memory/3024-95-0x00000000031C8000-0x00000000031D0000-memory.dmp
memory/3024-94-0x0000000003128000-0x0000000003130000-memory.dmp
memory/3024-98-0x00000000031D0000-0x00000000031D8000-memory.dmp
memory/3024-97-0x0000000003130000-0x0000000003138000-memory.dmp
memory/3024-105-0x00000000031D8000-0x00000000031E0000-memory.dmp
memory/3024-104-0x0000000003180000-0x0000000003188000-memory.dmp
memory/3024-103-0x0000000003118000-0x0000000003120000-memory.dmp
memory/3024-102-0x0000000003178000-0x0000000003180000-memory.dmp
memory/3024-111-0x00000000031E0000-0x00000000031E8000-memory.dmp
memory/3024-110-0x0000000003190000-0x0000000003198000-memory.dmp
memory/3024-109-0x0000000003188000-0x0000000003190000-memory.dmp
memory/3024-116-0x00000000031E8000-0x00000000031F0000-memory.dmp
memory/3024-115-0x0000000003198000-0x00000000031A0000-memory.dmp
memory/3024-120-0x00000000031F0000-0x00000000031F8000-memory.dmp
memory/3024-119-0x00000000031A0000-0x00000000031A8000-memory.dmp
memory/3024-123-0x00000000031F8000-0x0000000003200000-memory.dmp
memory/3024-122-0x00000000031A8000-0x00000000031B0000-memory.dmp
memory/3024-126-0x0000000003200000-0x0000000003208000-memory.dmp
memory/3024-125-0x00000000031B0000-0x00000000031B8000-memory.dmp
memory/3024-129-0x0000000003208000-0x0000000003210000-memory.dmp
memory/3024-128-0x00000000031B8000-0x00000000031C0000-memory.dmp
memory/3024-133-0x0000000003210000-0x0000000003218000-memory.dmp
memory/3024-132-0x00000000031C0000-0x00000000031C8000-memory.dmp
memory/3024-136-0x0000000003218000-0x0000000003220000-memory.dmp
memory/3024-135-0x00000000031C8000-0x00000000031D0000-memory.dmp
memory/3024-140-0x0000000003220000-0x0000000003228000-memory.dmp
memory/3024-139-0x00000000031D0000-0x00000000031D8000-memory.dmp
memory/3024-144-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/3024-148-0x0000000003228000-0x0000000003230000-memory.dmp
memory/3024-147-0x00000000031D8000-0x00000000031E0000-memory.dmp
memory/3024-151-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/3024-152-0x00000000031E0000-0x00000000031E8000-memory.dmp
memory/3024-153-0x0000000003230000-0x0000000003238000-memory.dmp
memory/3024-156-0x0000000003238000-0x0000000003240000-memory.dmp
memory/3024-155-0x00000000031E8000-0x00000000031F0000-memory.dmp
memory/3024-159-0x0000000003240000-0x0000000003248000-memory.dmp
memory/3024-158-0x00000000031F0000-0x00000000031F8000-memory.dmp
memory/3024-160-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/3024-164-0x0000000003248000-0x0000000003250000-memory.dmp
memory/3024-163-0x00000000031F8000-0x0000000003200000-memory.dmp
memory/3024-169-0x0000000003250000-0x0000000003258000-memory.dmp
memory/3024-168-0x0000000003258000-0x0000000003260000-memory.dmp
memory/3024-167-0x0000000003200000-0x0000000003208000-memory.dmp
memory/3024-173-0x0000000003260000-0x0000000003268000-memory.dmp
memory/3024-172-0x0000000003208000-0x0000000003210000-memory.dmp
memory/3024-175-0x0000000003268000-0x0000000003270000-memory.dmp
memory/3024-174-0x0000000003210000-0x0000000003218000-memory.dmp
memory/3024-179-0x0000000003270000-0x0000000003278000-memory.dmp
memory/3024-178-0x0000000003218000-0x0000000003220000-memory.dmp
memory/3024-180-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/3024-182-0x0000000003220000-0x0000000003228000-memory.dmp
memory/3024-183-0x0000000003278000-0x0000000003280000-memory.dmp
memory/3024-186-0x0000000003280000-0x0000000003288000-memory.dmp
memory/3024-185-0x0000000003228000-0x0000000003230000-memory.dmp
memory/3024-190-0x0000000003288000-0x0000000003290000-memory.dmp
memory/3024-189-0x0000000003230000-0x0000000003238000-memory.dmp
memory/3024-192-0x0000000003290000-0x0000000003298000-memory.dmp
memory/3024-191-0x0000000003238000-0x0000000003240000-memory.dmp
memory/3024-198-0x0000000003298000-0x00000000032A0000-memory.dmp
memory/3024-197-0x0000000003240000-0x0000000003248000-memory.dmp
memory/3024-201-0x0000000003248000-0x0000000003250000-memory.dmp
memory/3024-203-0x0000000003250000-0x0000000003258000-memory.dmp
memory/3024-202-0x0000000003258000-0x0000000003260000-memory.dmp
memory/3024-205-0x0000000003260000-0x0000000003268000-memory.dmp
memory/3024-206-0x0000000003268000-0x0000000003270000-memory.dmp
memory/3024-207-0x0000000003270000-0x0000000003278000-memory.dmp
memory/3024-208-0x0000000003278000-0x0000000003280000-memory.dmp
memory/3024-209-0x0000000003280000-0x0000000003288000-memory.dmp
memory/3024-210-0x0000000003288000-0x0000000003290000-memory.dmp
memory/2028-211-0x00000000032E0000-0x0000000003316000-memory.dmp
memory/2888-212-0x0000000004E60000-0x0000000005488000-memory.dmp
memory/3024-213-0x0000000003290000-0x0000000003298000-memory.dmp
memory/2888-214-0x0000000004C10000-0x0000000004C32000-memory.dmp
memory/2028-216-0x0000000006200000-0x0000000006266000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4jqbtr0.111.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 270ff48f39e577946da300ffb583c71e |
| SHA1 | 684ab9244c1d39d36d68905f439fad7848cfdceb |
| SHA256 | 4c368664f8d62952efacc89de5b4542a14a2d053bcfa6d653eca214fcf3ea866 |
| SHA512 | 49defa449f4f996f67e78b9f8b434491120ce15b697a5e3847dad69cb81fda0649a1810392783e721cac24cec4a82f098236e0c584bb11ecbc6499555b9a3825 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 555e3c67034212c8ed2643672418b2bf |
| SHA1 | d7d1e9c4a9ae3950fd356f95a17283967fcca799 |
| SHA256 | d2eca1c364628ab11cdc8abe2a580022f871aea6b8b11fe74766f7b740aa5eb5 |
| SHA512 | 4dd4f96464f3510b45777ef906679a26512c83f883f371844416a64095a0a6f4ad3308fa5abb06266aea43d9701a3b3d7247df13d27f062e7294644a2ec31878 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29dd3b69a02e297a52f765c0ff022798 |
| SHA1 | f9741d5468736eb970943bde7829e6738faf025b |
| SHA256 | 997fd0b9a29eb1571ee1524f99efcb9ea516a7a5d95e3fefdef078a9800d757d |
| SHA512 | 9a51042e1a138d7082b3e516808b3f3c8f578da5dd6661a8ccf5ae5df89a74adbe0a313ce1734bd7e352c7c0f784fcefa1b6075d4f2c9bf4ba192f0ecf00d7cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68a3824b1f84e77b77ef588170556dde |
| SHA1 | 3b22d91aac33f299aafc56b6cfea500b5c075107 |
| SHA256 | a400148c544ce51a129246d4df14ff9c80408651166fc93502ed01bd628ae34b |
| SHA512 | 7fa44b81b5964396c660b58673bf64a765841496bca48922dc009ab40b078e0672371b6a223f9c45164bac102e68cb43b81dc81615baa61d693fe6025bf8ebf2 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240226-en
Max time kernel
132s
Max time network
163s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\141\Addons\THIRDPARTYLICENSEREADME.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=744 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240508-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\141\Addons\COPYRIGHT
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240221-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\141\Addons\LICENSE
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240611-en
Max time kernel
90s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\141\Addons\LICENSE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\141\Addons\README.txt
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240611-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\141\Addons\THIRDPARTYLICENSEREADME.txt
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240611-en
Max time kernel
90s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\141\Addons\COPYRIGHT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win7-20240611-en
Max time kernel
117s
Max time network
142s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f5e6699dbdda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424450512" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000009c4db9a45df9a559f200d5f1b0766ed1fd6e757281a7f0331c11218b556cf89000000000e8000000002000020000000d0dd09f7a0fdcc9c08fb44eefd826bcdff0e207709c96337e018394037c548762000000012a299954004611dfb0405ffcdb10d4b347775e99c5a6b4f47b38510377452fd4000000026d10daf9cd4702134e3b19aab8ef4570916505348f99c8a53b0b153e17b00d42325a7a9bd9500a309095a000f09010a6fc563d45aedda983f72d4260a57ee6a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000d64a4f3d8da52988f366097f4f2f486c6f32985156b56509777a199ec233b99d000000000e800000000200002000000027cb206bc09e407581b51bf8d8a55b629c6f71802c8acafc73f6cec6c17c671990000000258c100446fc7032df4227bfc51d88c86a4e2320c39fae26fa6e229e5cb9bd2f88be1159d186244e773c496e6c91e9c04c2269034fa3a5326e8bd1da5fc95989fe2a3f5936d0dde28842997133bc0e0e34d880d043525d5f80e2eee53c69ed8c704cd06287e35145d076a12987aeecb5c1d269480fc22ca0be4d5e2bb53077e466de1d8c5a5c72b78fc0ee08aa54bf11400000006fb2790311e7ade1f4f86d38fc1261efadb1808e55c82f9f6d705e82e4caf586cbb89f4c1619d4b7a1190de5810df2dfd3ddbcd99428be4b7c1fa95b411584f6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94D18051-2990-11EF-AAC6-46C1B5BE3FA8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2564 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2280 wrote to memory of 2564 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2280 wrote to memory of 2564 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2280 wrote to memory of 2564 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\141\Addons\Welcome.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab94A3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9563.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 025c5c7bff28cbdb9cb253682c421283 |
| SHA1 | 5029f898681bd2cef8376798b6ae679ce27273b0 |
| SHA256 | 8cfc85e26ca30fafbd3f34a4f8c203da99fd87ecf1ba0b79bc514e5c7ae54e7f |
| SHA512 | 28e4c7cbcb0a67a1f497d6d9ee0291ef6ddf7012cc0ff575fcc164ca550f4db9b1ba2ed5d777a0ff6d0584aae5928d62e3305fb26748958a59b6755a5a97a1b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbd3f05e886715b4d1d0d7a04759a533 |
| SHA1 | d8aa7ead70798712eba1f77cfa1bcbe309503e7d |
| SHA256 | 83a27274bfa86da492516e277c44f1b0af5b1234e0f624e7d9688b4dcea6414e |
| SHA512 | f3a19f7dfd981dbd610e0b0d7a3ad4295e3212b42035025af2e670c6a2c58992a282334e0d6931c0125927cba4aee5dd278860956006c87fe623d5ef539de0c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 512234db876d9a77fa0c42719efeeec3 |
| SHA1 | 16f06d1f361cb654662e2895bb26d955d729dc39 |
| SHA256 | cee17c666493e346fbf8c524808652005fcb605aecbc9ed307edb1942b3fba5d |
| SHA512 | eb6a9faacb8f8389e33ef001505912a41f55e07ab52a1291b8d663da5ec97a2b5087b0d7fedb553dae4ebead5aa098bc870a61b907b2a33247b21ffc9664b1c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 576ef5f00d6b13e803329f4b7c2ef4d3 |
| SHA1 | 89b80ad6c38af519928bb4c073f6bdf84cccc5b9 |
| SHA256 | 16f411b32ba40f290f250a2386a35ea24d0fac86b09aad0e8ad9f3c62ee3f06f |
| SHA512 | d6d4fcf945c6dcb299622af828869576d103cc0c634f3cba10949e7fd0a2915451774c44da55b5e1e88d656a4ae1a64bd92cabe57caf8d8823384bf61e847a61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 701fd169a94116c5131bb2ea626290e1 |
| SHA1 | b88916d2215de0b2bb9b18cd4528cb2c8f92849b |
| SHA256 | afb6ae2a687771e286227072928d869eaeee827cfe6cd2f48ca2ca4aa5728fb6 |
| SHA512 | abbc3eedb1ebb855ecfccc23f271937af9323242b4ed3f621b24ba347d29ad41594e763b0aad24e28e454350616cb84229b15418e26e3e2a52f93c8c25096183 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 312637dbc7b591cae22abfd71b21f66e |
| SHA1 | f142983d4f8096d613750ae6644a94406399e051 |
| SHA256 | 15a4803cc557ea722be432ed17e863b1084477dfcbaa26a596862e3911197cbd |
| SHA512 | 671dd38b31af5220975d47d79a5866ca65a0a778fed0fcf8199893a7b27c6b1bcb88381e2789d6e568abf98a1d0d0a2905e7c39666232213547600cb801d52cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b279fc70c4fdf52ddbf2e4e7adc81daa |
| SHA1 | 2bfae2972893f6854125e791a2ddf9abf22d8f39 |
| SHA256 | 5d35c7b68a7a32dc0b81d485d1098a45bcf6da5f6b8ef99f8892f34d4aaca5da |
| SHA512 | 30a47f838a2c8a29080369202ccb1f7fa8018d3f771ee2781f71040c3f9042838a7c2060458ad81d41ca3389348f23d32614360530e299595377737a3e26b94a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb3dba9d758de34d5eaee13d90148f4c |
| SHA1 | 69fb215dd4ccb778b06706fa898109aead680987 |
| SHA256 | b3460b017727a5ff8a990474c1fa29ca730c9029f8fe7fa3b91a43cca5814379 |
| SHA512 | 07b36698cd69e2789471b44cba1ed265f12d40f043798692f32b3fc32c888da766f9750bb82aeb73f3322df7a7ffc0deb055b17576d5c5ce25cd9c8c8edac3db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 778d438b9605036b43dd01996de22413 |
| SHA1 | 5239885a8820c84d259713c5b1f43c320285c7bb |
| SHA256 | f970d38db073e7962da5a42068b6b8359b45dd8379babab85b93df0ba16a607a |
| SHA512 | 1b6a0b2e284bcb2ab005bb680fdc45c2d405c3e7655ce19e9dd3486d567e8712417bde77f1f8a07d2f1a906cf8d77aadd2e53b72504475c303b0191a43454a94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ec1c0a89a34e75a561faf1835773f08 |
| SHA1 | b90c9b035383ad2cc4a49939842258c977bde54a |
| SHA256 | 24cbea257c52291892d45b6d6710a2be64eca72ac1c1c6d3e50b230694d0b43b |
| SHA512 | 006ceb4ea5a4df95b14db763745c285850f8c1f376a0184d97be5b97f210bf8b9bf16aaba942a411d4b05c1a892a18a7093f2bfd9d59df6747c1808ad8e9cc4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec57641e77cc73c7b7de3e40b4ec2b91 |
| SHA1 | 88a560d02abed1d2289f610c41170bfdaa0dbb49 |
| SHA256 | 3429f985a7248e8c8be8dc19d3876a2c1cc522a191bba411fe91cefce7503622 |
| SHA512 | 7feb91487e6b8c78d6c5be8b16b76491d3481c3219a484fe94962d1072047fa6313a5679f7eace4598413083cb7d69e12ef02e298aa13d539080e4f587eba313 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd933131d219bc13d5ccafac91ca36a6 |
| SHA1 | 1444f006467219a5707acb5e40610b26f772dee4 |
| SHA256 | ef05842e88e64fec92ce1f6a623bb882ac758562264172de21fe346470bf40d3 |
| SHA512 | 97f22562d1ac9de54c877cb58ff7600fcd73f5031bcd71edcdb650df15f707967e3fbf2d044209761b272f87bec588845b17bf89c4d399705ce316fedcf74566 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce75240b4c82af03b857be78f90ead20 |
| SHA1 | 695f386981af3eb906de2ecdd25736fa0b08c6d3 |
| SHA256 | 8b5e4edcc0f827c98f3c3f883673f9060e85bf3311d3a779e130bb39d4daf5ff |
| SHA512 | cea07a70ade581d4d8df79a2e7ff849c5d86b3ad0cd7b52e9c49beb436c0709489cc2e0e6c67b60d96bfdd53d01c43c48709fd16f72519fe33058b6d527b9d42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4508503c0ec78c7135b0b2349b021ef |
| SHA1 | 88134b436edd6a12230d88d22ea4e1ea96524d59 |
| SHA256 | 03b9e14e0781dab458a08d9911bbd0b2770b41e4ef32008a231f8b7e1f3180df |
| SHA512 | cfcee059c11a7b9e227fec74df54cef940e2f7c30f83000cf09889e15649db2c1bab75ee3c2355e074b409c56eb42dbf20012ba915017d329110a949037c3f08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4849393b70f46d7209dc0c7ed9e29f9f |
| SHA1 | 7d3ca2e4f6f26790b53dd129aaf881568f5a0c8f |
| SHA256 | da1258be163b34b8c73842ca68d0ed94986c2d491a95258328efdb09bf1701c0 |
| SHA512 | da06cc45a6011ead951914be4c25bf330079a5f8b68499578235434d35dcf46c77fa50af383ac1eaa65b959c9cfc996dc426f66943fcb5508fb2532fe12c4e88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e29fb95b567a069f52795465c61b5a9 |
| SHA1 | 40dcc410fdf6b821693e424ea7c2bd42755de77b |
| SHA256 | 4b90ee4b0312f34a8b0164a51bbdaeebecbf144a50a39f1cf3e853cef9435641 |
| SHA512 | 9cad142faa68aafeaa2c77e58ba0ee6843974d4228b840d9b427855e2c40c5b088fa842b450fdd949f909c76f76be5340bdc84b6e0a9a4e7487c82e6c3a22989 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec98c3e391a975d89ea356426f815306 |
| SHA1 | 9a0783ea3af5147c4cf25c5223ed8a805ae2321c |
| SHA256 | dbba32e5965e4ac6dbfbe3d7e4de8a58632407471ecf86d604e7f1d61b2eee79 |
| SHA512 | 93a4eda438365ec6040d7f4bbe7100be284e67c8bf7e5bd63c84a34f49442590a6d9f552e51e87e6e0c388860f989b44824329b35b901ffd9a4e729ed2eaa04b |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\141\Addons\Welcome.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeba3b46f8,0x7ffeba3b4708,0x7ffeba3b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,7784288346672211445,2459167198233368764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c39b3aa574c0c938c80eb263bb450311 |
| SHA1 | f4d11275b63f4f906be7a55ec6ca050c62c18c88 |
| SHA256 | 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c |
| SHA512 | eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232 |
\??\pipe\LOCAL\crashpad_1200_YCIWSVDTILLYZHWG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dabfafd78687947a9de64dd5b776d25f |
| SHA1 | 16084c74980dbad713f9d332091985808b436dea |
| SHA256 | c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201 |
| SHA512 | dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93356e88a341dfdc8a0ad3ba8a488465 |
| SHA1 | b66f5611f3fc95812bde1ae6bae324da831bb703 |
| SHA256 | 2b526e0164efc2fcc555636903ba96a44a675267664606b2855eb5ad7f9f325b |
| SHA512 | d60a7c184d1e01429d6c6eb4891eb0fcebd06a2d3c9583439ffafce9d01593c92f4ada0bd4663897161c40bfce7a4040595886878b4510e847e1be96a519db13 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a4f41984f4ee43e01f193da62c29bfd6 |
| SHA1 | 90e05e49f29cb3b541e37159065ae669a6d9392c |
| SHA256 | 022b65cf33bd493c270455d6f861506c86c0f113001157d84af5dafa032c120b |
| SHA512 | bdb1940bc95dcd53312bff647ae3cd4c3d797bc6ec9a13a6502b90e6dc3149cc0b3c2ca20006019ee39d07e84697b4771db4e936853021a795b50cbe159e390c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 702ed4b33c81ae3d3f0256ac7eff1bc6 |
| SHA1 | b1701a9366bfea834e79d3cfd5bb858eb5b51651 |
| SHA256 | ac6370e1214c1d0ba6f865e8b03c508509b2f22010533b4654f8ab5aeafbf2e4 |
| SHA512 | 7cc50aa570cc705b28475b04b2b485e7b566dc873ec44b17355f0a29867f4a0f620ee70749c8d30ef742e1b530c89e3f2f87ad1a81ab2e8af9cdfeedcfcc75bc |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 14:16
Reported
2024-06-13 14:26
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
155s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 208 wrote to memory of 1148 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 208 wrote to memory of 1148 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\141\Addons\lib\deploy.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/208-2-0x0000020759C40000-0x0000020759EB0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 57d8caeb1b8dcb04f8179dd97db8dbfa |
| SHA1 | edb824e23c3887a30b75e85b69abf95261a01aef |
| SHA256 | f4684d5869b50050c00e4de2c35cea1b0862f6541d96da82c3373c936038a0da |
| SHA512 | 013cdf7b13c55ae96d767dfab928a26e4914779e93f71eca50b4f5138d2358570abf4e8a4af0abc53a7ba44a187811226a4552d10f5c347155e11a715989fedd |
memory/208-12-0x00000207583E0000-0x00000207583E1000-memory.dmp
memory/208-13-0x0000020759C40000-0x0000020759EB0000-memory.dmp