Analysis Overview
SHA256
e6dc3469212702ad968863b5d47a0bb9b121818dc7dca2aae309537b918ce76b
Threat Level: Shows suspicious behavior
The file The.Coffin.of.Andy.and.Leyley.v2.0.12.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Program crash
Detects Pyinstaller
Command and Scripting Interpreter: JavaScript
Unsigned PE
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 07:06
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.url"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1580 wrote to memory of 4932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 4932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 4932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 612
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240508-en
Max time kernel
122s
Max time network
138s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\main.js"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240611-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.242.123.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240221-en
Max time kernel
118s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 220
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20231129-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240221-en
Max time kernel
121s
Max time network
136s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\libs\pixi.js"
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
47s
Max time network
66s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\libs\pixi.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20231129-en
Max time kernel
119s
Max time network
131s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe
"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"
C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe
"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI11082\python311.dll
| MD5 | e2bd5ae53427f193b42d64b8e9bf1943 |
| SHA1 | 7c317aad8e2b24c08d3b8b3fba16dd537411727f |
| SHA256 | c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400 |
| SHA512 | ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:14
Platform
win10v2004-20240226-en
Max time kernel
100s
Max time network
219s
Command Line
Signatures
Loads dropped DLL
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe
"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"
C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe
"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI25642\python311.dll
| MD5 | e2bd5ae53427f193b42d64b8e9bf1943 |
| SHA1 | 7c317aad8e2b24c08d3b8b3fba16dd537411727f |
| SHA256 | c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400 |
| SHA512 | ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\base_library.zip
| MD5 | ebb4f1a115f0692698b5640869f30853 |
| SHA1 | 9ba77340a6a32af08899e7f3c97841724dd78c3f |
| SHA256 | 4ab0deb6a298d14a0f50d55dc6ce5673b6c5320817ec255acf282191642a4576 |
| SHA512 | 3f6ba7d86c9f292344f4ad196f4ae863bf936578dd7cfac7dc4aaf05c2c78e68d5f813c4ed36048b6678451f1717deeb77493d8557ee6778c6a70beb5294d21a |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\loctool.pyd
| MD5 | 9e89b90be4b88466a5e0030001641ed4 |
| SHA1 | 88624631ce068d51f92e6341ddcd67f82ce88b2c |
| SHA256 | 73ca053f244c614ee1a91a07a52f20f48a94c37be25facc527a9777960a1e55d |
| SHA512 | d60ab780f8082795a566f1377a9f13c00f9a52250d7309fc44bb84e97c008c7b97dfe78877ab565df4880476cfbec0edd42cadb2487b05f86a7d3f26a98f7d67 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl86t.dll
| MD5 | ac6cd2fb2cd91780db186b8d6e447b7c |
| SHA1 | b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a |
| SHA256 | a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6 |
| SHA512 | 45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk86t.dll
| MD5 | 499fa3dea045af56ee5356c0ce7d6ce2 |
| SHA1 | 0444b7d4ecd25491245824c17b84916ee5b39f74 |
| SHA256 | 20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94 |
| SHA512 | d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\encoding\cp1252.enc
| MD5 | e9117326c06fee02c478027cb625c7d8 |
| SHA1 | 2ed4092d573289925a5b71625cf43cc82b901daf |
| SHA256 | 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e |
| SHA512 | d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_tkinter.pyd
| MD5 | 6352db60d88705ce62b5665764529006 |
| SHA1 | e7a22fd590661e91dfe5cace1adff17d7a3de5ec |
| SHA256 | 4536d9092a366426aa01e1800d9d4de669928bbcb277f2363d54df44da096c31 |
| SHA512 | 78b19668c82aef75dcdf98fd0b90677f3530cb7e80dc7cfec5640637fecb3e5d4fb38c21051fc305133882d26c6f8ecb03825227a3d66c5045b968bdc624bd2c |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_bz2.pyd
| MD5 | a62207fc33140de460444e191ae19b74 |
| SHA1 | 9327d3d4f9d56f1846781bcb0a05719dea462d74 |
| SHA256 | ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2 |
| SHA512 | 90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_lzma.pyd
| MD5 | 0c7ea68ca88c07ae6b0a725497067891 |
| SHA1 | c2b61a3e230b30416bc283d1f3ea25678670eb74 |
| SHA256 | f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11 |
| SHA512 | fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\libcrypto-1_1.dll
| MD5 | 9d7a0c99256c50afd5b0560ba2548930 |
| SHA1 | 76bd9f13597a46f5283aa35c30b53c21976d0824 |
| SHA256 | 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939 |
| SHA512 | cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\_hashlib.pyd
| MD5 | 787b82d4466f393366657b8f1bc5f1a9 |
| SHA1 | 658639cddda55ac3bfc452db4ec9cf88851e606b |
| SHA256 | 241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37 |
| SHA512 | afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\init.tcl
| MD5 | 982eae7a49263817d83f744ffcd00c0e |
| SHA1 | 81723dfea5576a0916abeff639debe04ce1d2c83 |
| SHA256 | 331bcf0f9f635bd57c3384f2237260d074708b0975c700cfcbdb285f5f59ab1f |
| SHA512 | 31370d8390c4608e7a727eed9ee7f4c568ecb913ae50184b6f105da9c030f3b9f4b5f17968d8975b2f60df1b0c5e278512e74267c935fe4ec28f689ac6a97129 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\auto.tcl
| MD5 | 08edf746b4a088cb4185c165177bd604 |
| SHA1 | 395cda114f23e513eef4618da39bb86d034124bf |
| SHA256 | 517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c |
| SHA512 | c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\tclIndex
| MD5 | c62fb22f4c9a3eff286c18421397aaf4 |
| SHA1 | 4a49b8768cff68f2effaf21264343b7c632a51b2 |
| SHA256 | ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89 |
| SHA512 | 558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\tm.tcl
| MD5 | 215262a286e7f0a14f22db1aa7875f05 |
| SHA1 | 66b942ba6d3120ef8d5840fcdeb06242a47491ff |
| SHA256 | 4b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f |
| SHA512 | 6ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\fonts.tcl
| MD5 | 80331fcbe4c049ff1a0d0b879cb208de |
| SHA1 | 4eb3efdfe3731bd1ae9fd52ce32b1359241f13cf |
| SHA256 | b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b |
| SHA512 | a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\ttk.tcl
| MD5 | af45b2c8b43596d1bdeca5233126bd14 |
| SHA1 | a99e75d299c4579e10fcdd59389b98c662281a26 |
| SHA256 | 2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b |
| SHA512 | c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\text.tcl
| MD5 | 7c2ac370de0b941ae13572152419c642 |
| SHA1 | 7598cc20952fa590e32da063bf5c0f46b0e89b15 |
| SHA256 | 4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e |
| SHA512 | 8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\spinbox.tcl
| MD5 | 77dfe1baccd165a0c7b35cdeaa2d1a8c |
| SHA1 | 426ba77fc568d4d3a6e928532e5beb95388f36a0 |
| SHA256 | 2ff791a44406dc8339c7da6116e6ec92289bee5fc1367d378f48094f4abea277 |
| SHA512 | e56db85296c8661ab2ea0a56d9810f1a4631a9f9b41337560cbe38ccdf7dd590a3e65c22b435ce315eff55ee5b8e49317d4e1b7577e25fc3619558015dd758eb |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\scrlbar.tcl
| MD5 | 5249cd1e97e48e3d6dec15e70b9d7792 |
| SHA1 | 612e021ba25b5e512a0dfd48b6e77fc72894a6b9 |
| SHA256 | eec90404f702d3cfbfaec0f13bf5ed1ebeb736bee12d7e69770181a25401c61f |
| SHA512 | e4e0ab15eb9b3118c30cd2ff8e5af87c549eaa9b640ffd809a928d96b4addefb9d25efdd1090fbd0019129cdf355bb2f277bc7194001ba1d2ed4a581110ceafc |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\scale.tcl
| MD5 | 857add6060a986063b0ed594f6b0cd26 |
| SHA1 | b1981d33ddea81cfffa838e5ac80e592d9062e43 |
| SHA256 | 0da2dc955ffd71062a21c3b747d9d59d66a5b09a907b9ed220be1b2342205a05 |
| SHA512 | 7d9829565efc8cdbf9249913da95b02d8dadfdb3f455fd3c10c5952b5454fe6e54d95c07c94c1e0d7568c9742caa56182b3656e234452aec555f0fcb76a59fb1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\panedwindow.tcl
| MD5 | 286c01a1b12261bc47f5659fd1627abd |
| SHA1 | 4ca36795cab6dfe0bbba30bb88a2ab71a0896642 |
| SHA256 | aa4f87e41ac8297f51150f2a9f787607690d01793456b93f0939c54d394731f9 |
| SHA512 | d54d5a89b7408a9724a1ca1387f6473bdad33885194b2ec5a524c7853a297fd65ce2a57f571c51db718f6a00dce845de8cf5f51698f926e54ed72cdc81bcfe54 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\menu.tcl
| MD5 | 078782cd05209012a84817ac6ef11450 |
| SHA1 | dba04f7a6cf34c54a961f25e024b6a772c2b751d |
| SHA256 | d1283f67e435aab0bdbe9fdaa540a162043f8d652c02fe79f3843a451f123d89 |
| SHA512 | 79a031f7732aee6e284cd41991049f1bb715233e011562061cd3405e5988197f6a7fb5c2bbddd1fb9b7024047f6003a2bf161fc0ec04876eff5335c3710d9562 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\listbox.tcl
| MD5 | 804e6dce549b2e541986c0ce9e75e2d1 |
| SHA1 | c44ee09421f127cf7f4070a9508f22709d06d043 |
| SHA256 | 47c75f9f8348bf8f2c086c57b97b73741218100ca38d10b8abdf2051c95b9801 |
| SHA512 | 029426c4f659848772e6bb1d8182eb03d2b43adf68fcfcc1ea1c2cc7c883685deda3fffda7e071912b9bda616ad7af2e1cb48ce359700c1a22e1e53e81cae34b |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\entry.tcl
| MD5 | f109865c52d1fd602e2d53e559e56c22 |
| SHA1 | 5884a3bb701c27ba1bf35c6add7852e84d73d81f |
| SHA256 | af1de90270693273b52fc735da6b5cd5ca794f5afd4cf03ffd95147161098048 |
| SHA512 | b2f92b0ac03351cdb785d3f7ef107b61252398540b5f05f0cc9802b4d28b882ba6795601a68e88d3abc53f216b38f07fcc03660ab6404cf6685f6d80cc4357fc |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\button.tcl
| MD5 | aeb53f7f1506cdfdfe557f54a76060ce |
| SHA1 | ebb3666ee444b91a0d335da19c8333f73b71933b |
| SHA256 | 1f5dd8d81b26f16e772e92fd2a22accb785004d0ed3447e54f87005d9c6a07a5 |
| SHA512 | acdad4df988df6b2290fc9622e8eaccc31787fecdc98dcca38519cb762339d4d3fb344ae504b8c7918d6f414f4ad05d15e828df7f7f68f363bec54b11c9b7c43 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\icons.tcl
| MD5 | 995a0a8f7d0861c268aead5fc95a42ea |
| SHA1 | 21e121cf85e1c4984454237a646e58ec3c725a72 |
| SHA256 | 1264940e62b9a37967925418e9d0dc0befd369e8c181b9bab3d1607e3cc14b85 |
| SHA512 | db7f5e0bc7d5c5f750e396e645f50a3e0cde61c9e687add0a40d0c1aa304ddfbceeb9f33ad201560c6e2b051f2eded07b41c43d00f14ee435cdeee73b56b93c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\opt0.4\pkgIndex.tcl
| MD5 | 07532085501876dcc6882567e014944c |
| SHA1 | 6bc7a122429373eb8f039b413ad81c408a96cb80 |
| SHA256 | 6a4abd2c519a745325c26fb23be7bbf95252d653a24806eb37fd4aa6a6479afe |
| SHA512 | 0d604e862f3a1a19833ead99aaf15a9f142178029ab64c71d193cee4901a0196c1eeddc2bce715b7fa958ac45c194e63c77a71e4be4f9aedfd5b44cf2a726e76 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\http1.0\pkgIndex.tcl
| MD5 | a387908e2fe9d84704c2e47a7f6e9bc5 |
| SHA1 | f3c08b3540033a54a59cb3b207e351303c9e29c6 |
| SHA256 | 77265723959c092897c2449c5b7768ca72d0efcd8c505bddbb7a84f6aa401339 |
| SHA512 | 7ac804d23e72e40e7b5532332b4a8d8446c6447bb79b4fe32402b13836079d348998ea0659802ab0065896d4f3c06f5866c6b0d90bf448f53e803d8c243bbc63 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\pkgIndex.tcl
| MD5 | 3367ce12a4ba9baaf7c5127d7412aa6a |
| SHA1 | 865c775bb8f56c3c5dfc8c71bfaf9ef58386161d |
| SHA256 | 3f2539e85e2a9017913e61fe2600b499315e1a6f249a4ff90e0b530a1eeb8898 |
| SHA512 | f5d858f17fe358762e8fdbbf3d78108dba49be5c5ed84b964143c0adce76c140d904cd353646ec0831ff57cd0a0af864d1833f3946a235725fff7a45c96872eb |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\package.tcl
| MD5 | ddb0ab9842b64114138a8c83c4322027 |
| SHA1 | eccacdc2ccd86a452b21f3cf0933fd41125de790 |
| SHA256 | f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948 |
| SHA512 | c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl8\8.5\msgcat-1.6.1.tm
| MD5 | bd4ff2a1f742d9e6e699eeee5e678ad1 |
| SHA1 | 811ad83aff80131ba73abc546c6bd78453bf3eb9 |
| SHA256 | 6774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb |
| SHA512 | b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\cursors.tcl
| MD5 | 18ec3e60b8dd199697a41887be6ce8c2 |
| SHA1 | 13ff8ce95289b802a5247b1fd9dea90d2875cb5d |
| SHA256 | 7a2ed9d78fabcafff16694f2f4a2e36ff5aa313f912d6e93484f3bcd0466ad91 |
| SHA512 | 4848044442efe75bcf1f89d8450c8ecbd441f38a83949a3cd2a56d9000cacaa2ea440ca1b32c856ab79358ace9c7e3f70ddf0ec54aa93866223d8fef76930b19 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\tk.tcl
| MD5 | 338184e46bd23e508daedbb11a4f0950 |
| SHA1 | 437db31d487c352472212e8791c8252a1412cb0e |
| SHA256 | 0f617d96cbf213296d7a5f7fcffbb4ae1149840d7d045211ef932e8dd66683e9 |
| SHA512 | 8fb8a353eecd0d19638943f0a9068dccebf3fb66d495ea845a99a89229d61a77c85b530f597fd214411202055c1faa9229b6571c591c9f4630490e1eb30b9cd3 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\combobox.tcl
| MD5 | f7065d345a4bfb3127c3689bf1947c30 |
| SHA1 | 9631c05365b0f5a36e4ca5cba83628ccd7fcbde1 |
| SHA256 | 68eed4af6d2ec5b3ea24b1122a704b040366cbe2f458103137479352ffa1475a |
| SHA512 | 74b99b9e326680150dd5ec7263192691bcd8a71b2a4ee7f3177deddd43e924a7925085c6d372731a70570f96b3924450255b2f54ca3b9c44d1160ca37e715b00 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\entry.tcl
| MD5 | 89089172393c551cd1668b9c19b88290 |
| SHA1 | 0b8667217a4a14289e9f6c1b384def5479bca089 |
| SHA256 | 830cc3009a735e92db70d53210c4928dd35caab5051ed14dec67e06ae25cbe28 |
| SHA512 | abbbe6aa937aab392bc7dcb8bbfbbec9ee5ed2c9f10ed982d77258bd98f27ee95ac47fd7cb6761b814885ef0878e1f1557d034c9f4163d9d85b388f2b837683f |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\panedwindow.tcl
| MD5 | 619d8f54ee73ad8a373ab272fbdb94a6 |
| SHA1 | 973626b5396b7e786dedd8159d10e66b4465f9e0 |
| SHA256 | 4d08a7e29eef731876951ef01dfa51654b6275fa3daadb1f48ff4bbeac238eb5 |
| SHA512 | 0d913c7dc9daee2b4a2a46663a07b3139d6b8f30d2f942642817504535e85616835eaa7d468851a83723a3dd711b65761376f3df96a59a933a74ef096e13ace9 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\notebook.tcl
| MD5 | f811f3e46a4efa73292f40d1cddd265d |
| SHA1 | 7fc70a1984555672653a0840499954b854f27920 |
| SHA256 | 22264d8d138e2c0e9a950305b4f08557c5a73f054f8215c0d8ce03854042be76 |
| SHA512 | 4424b7c687eb9b1804ed3b1c685f19d4d349753b374d9046240f937785c9713e8a760ada46cb628c15f9c7983ce4a7987691c968330478c9c1a9b74e953e40ac |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\progress.tcl
| MD5 | dbf3bf0e8f04e9435e9561f740dfc700 |
| SHA1 | c7619a05a834efb901c57dcfec2c9e625f42428f |
| SHA256 | 697cc0a75ae31fe9c2d85fb25dca0afa5d0df9c523a2dfad2e4a36893be75fba |
| SHA512 | d3b323dfb3eac4a78da2381405925c131a99c6806af6fd8041102162a44e48bf166982a4ae4aa142a14601736716f1a628d9587e292fa8e4842be984374cc192 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\scale.tcl
| MD5 | f1c33cc2d47115bbecd2e7c2fcb631a7 |
| SHA1 | 0123a961242ed8049b37c77c726db8dbd94c1023 |
| SHA256 | b909add0b87fa8ee08fd731041907212a8a0939d37d2ff9b2f600cd67dabd4bb |
| SHA512 | 96587a8c3555da1d810010c10c516ce5ccab071557a3c8d9bd65c647c7d4ad0e35cbed0788f1d72bafac8c84c7e2703fc747f70d9c95f720745a1fc4a701c544 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\scrollbar.tcl
| MD5 | 3fb31a225cec64b720b8e579582f2749 |
| SHA1 | 9c0151d9e2543c217cf8699ff5d4299a72e8f13c |
| SHA256 | 6eaa336b13815a7fc18bcd6b9adf722e794da2888d053c229044784c8c8e9de8 |
| SHA512 | e6865655585e3d2d6839b56811f3fd86b454e8cd44e258bb1ac576ad245ff8a4d49fbb7f43458ba8a6c9daac8dfa923a176f0dd8a9976a11bea09e6e2d17bf45 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\menubutton.tcl
| MD5 | 4c8d90257d073f263b258f00b2a518c2 |
| SHA1 | 7b58859e9b70fb37f53809cd3ffd7cf69ab310d8 |
| SHA256 | 972b13854d0e9b84de338d6753f0f11f3a8534e7d0e51838796dae5a1e2e3085 |
| SHA512 | ed67f41578ee834ee8db1fded8aa069c0045e7058e338c451fa8e1ade52907bed0c95631c21b8e88461571903b3da2698a29e47f990b7a0f0dd3073e7a1bcadc |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\button.tcl
| MD5 | d4bf1af5dcdd85e3bd11dbf52eb2c146 |
| SHA1 | b1691578041319e671d31473a1dd404855d2038b |
| SHA256 | e38a9d1f437981aa6bf0bdd074d57b769a4140c0f7d9aff51743fe4ecc6dfddf |
| SHA512 | 25834b4b231f4ff1a88eef67e1a102d1d0546ec3b0d46856258a6be6bbc4b381389c28e2eb60a01ff895df24d6450cd16ca449c71f82ba53ba438a4867a47dcd |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\utils.tcl
| MD5 | d98edc491da631510f124cd3934f535f |
| SHA1 | 33037a966067c9f5c9074ae5532ff3b51b4082d4 |
| SHA256 | d58610a34301bb6e61a60bec69a7cecf4c45c6a034a9fc123977174b586278be |
| SHA512 | 23faed8298e561f490997fe44ab61cd8ccb9f1f63d48bb4cf51fc9e591e463ff9297973622180d6a599cabb541c82b8fe33bf38a82c5d5905bbfa52ca0341399 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\defaults.tcl
| MD5 | fc79f42761d63172163c08f0f5c94436 |
| SHA1 | aabab4061597d0d6dc371f46d14aaa1a859096df |
| SHA256 | 49ae8faf169165bddaf01d50b52943ebab3656e9468292b7890be143d0fcbc91 |
| SHA512 | f619834a95c9deb93f8184bcc437d701a961c77e24a831adbd5c145556d26986bfda2a6acb9e8784f8b2380e122d12ac893eb1b6acf03098922889497e1ff9ea |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\sizegrip.tcl
| MD5 | dd6a1737b14d3f7b2a0b4f8be99c30af |
| SHA1 | e6b06895317e73cd3dc78234dd74c74f3db8c105 |
| SHA256 | e92d77b5cdca2206376db2129e87e3d744b3d5e31fde6c0bbd44a494a6845ce1 |
| SHA512 | b74ae92edd53652f8a3db0d84c18f9ce9069805bcab0d3c2dbb537d7c241aa2681da69b699d88a10029798d7b5bc015682f64699ba475ae6a379eef23b48daaf |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\treeview.tcl
| MD5 | f705b3a292d02061da0abb4a8dd24077 |
| SHA1 | fd75c2250f6f66435444f7deef383c6397ed2368 |
| SHA256 | c88b60ffb0f72e095f6fc9786930add7f9ed049eabc713f889f9a7da516e188c |
| SHA512 | 09817638dd3d3d5c57fa630c7edf2f19c3956c9bd264dbf07627fa14a03aecd22d5a5319806e49ef1030204fadef17c57ce8eae4378a319ad2093321d9151c8f |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\spinbox.tcl
| MD5 | 9c2833faa9248f09bc2e6ab1ba326d59 |
| SHA1 | f13cf048fd706bbb1581dc80e33d1aad910d93e8 |
| SHA256 | df286bb59f471aa1e19df39af0ef7aa84df9f04dc4a439a747dd8ba43c300150 |
| SHA512 | 5ff3be1e3d651c145950c3fc5b8c2e842211c937d1042173964383d4d59ecf5dd0ec39ff7771d029716f2d895f0b1a72591ef3bf7947fe64d4d6db5f0b8abffb |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\xpTheme.tcl
| MD5 | 162f30d2716438c75ea16b57e6f63088 |
| SHA1 | 3f626ff0496bb16b27106bed7e38d1c72d1e3e27 |
| SHA256 | aedb21c6b2909a4bb4686837d2126e521a8cc2b38414a4540387b801ebd75466 |
| SHA512 | 6ebf9648f1381d04f351bb469b6e3a38f3d002189c92eaf80a18d65632037ff37d34ec8814bbf7fae34553645bfc13985212f24684ee8c4e205729b975c88c97 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\winTheme.tcl
| MD5 | 769c0719a4044f91e7d132a25291e473 |
| SHA1 | 6fb07b0c887d443a43fb15d5728920b578171219 |
| SHA256 | ae82bccce708ff9c303cbcb3d4cc3ff5577a60d5b23822ea79e3e07cce3cbbd1 |
| SHA512 | 47fed061ddc6b4eb63ef77901d0094ff2ebb1bafacb3f44fbf13fb59dea1ec83985b2862086ecf1a7957819a88a0faa144b35f16bea9356bbd9775070d42e636 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\clamTheme.tcl
| MD5 | 2b20e7b2e6bddbeb14f5f63bf38dbf24 |
| SHA1 | 43db48094c4bd7de3b76afbc051d887fefe9887e |
| SHA256 | cffc59931fdd1683ad23895e92522cf49b099128753fcdff34374024e42cf995 |
| SHA512 | 1eb5ea78d26d18ead6563afbf1798f71723001dcc945e7db3e4368564d0563029be3565876ad8cb97331cfe34b2a0a313fa1bf252b87049160fe5dcd65434775 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\altTheme.tcl
| MD5 | 01f28512e10acbddf93ae2bb29e343bc |
| SHA1 | c9cf23d6315218b464061f011e4a9dc8516c8f1f |
| SHA256 | ae0437fb4e0ebd31322e4eaca626c12abde602da483bb39d0c5ee1bc00ab0af4 |
| SHA512 | fe3bae36ddb67f6d7a90b7a91b6ec1a009cf26c0167c46635e5a9ceaec9083e59ddf74447bf6f60399657ee9604a2314b170f78a921cf948b2985ddf02a89da6 |
C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\classicTheme.tcl
| MD5 | 0205663142775f4ef2eb104661d30979 |
| SHA1 | 452a0d613288a1cc8a1181c3cc1167e02aa69a73 |
| SHA256 | 424bba4fb6836feebe34f6c176ed666dce51d2fba9a8d7aa756abcbbad3fc1e3 |
| SHA512 | fb4d212a73a6f5a8d2774f43d310328b029b52b35bee133584d8326363b385ab7aa4ae25e98126324cc716962888321e0006e5f6ef8563919a1d719019b2d117 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240611-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240611-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
160s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\index.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffcaab846f8,0x7ffcaab84708,0x7ffcaab84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4392 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x530
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_3536_YXBXHNABGTLJIPUO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ddc8d1dc1ad3c3f176820efe5b76882c |
| SHA1 | 4f863175dd7829fd80d8ce9faf7747e3564bfcd7 |
| SHA256 | f9e2be51bc0b4221eabf9d11f4c0159fda8d68b505ef7ab87d65b2348d2797af |
| SHA512 | 6476723f5528b1bc6aea6aef64da300d11b6584795f61b309247f6799fe05116fb15c2d0f58aefc65fdd1a2fd6a52d09367eb328352d7dd652b8c009a245ed9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a09d270e0a494122e5a6eaaf6a016d3d |
| SHA1 | f104683f147b289c9f60390bc34ec01ccb4e2dd5 |
| SHA256 | fefd768f4a6e9067a20455a00da37d901d217986001f7a5cc59ffabaceb9bf13 |
| SHA512 | 70b47ec0add2f727f9031c4288fb0e41032d9313ee9d7fc6eaa69432e9222b082577a7b2afbf0bbd2e410f3bdfc1f698880e90c454c50e3f0a34506e001f083d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7dd328d2d4f6f918e711e097ddc02ef5 |
| SHA1 | bd9bbfe42098b9f80b2f2feebfe45fb709f71877 |
| SHA256 | e559748dea8c85f3e62f7786880ac61259029a71d414ba347c7f8cdbb1ddda31 |
| SHA512 | 820d4e74f8c63d9f2ac75931d1846e37b4b5a7d57ba93e32ddc62fd4458526a503573cc80c23bb1b190102cf871749fdcc045472d80aa42c5cc40a614b8be5b4 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20231129-en
Max time kernel
119s
Max time network
131s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2640 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2640 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2640 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5104 wrote to memory of 4460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5104 wrote to memory of 4460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5104 wrote to memory of 4460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240419-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
47s
Max time network
64s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240508-en
Max time kernel
133s
Max time network
141s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000009c7ed1e9209081e1ff0caa23f0a5a3a58325a9cc105bdebc3a1cb16824020772000000000e8000000002000020000000a2c9e9be6eb4b942f8b4b67f9283da41179392c635ef5ca389e6cc6faf081c27900000001e19299ec8c97c73fefa3dee647392d1e11f9f9ab4c8682ef5b13f6dd1d856593888bce277b75f0118f3cb75affd3e2d65f4001ae869ac321124e9f8361474630af990aaed45c2f8e7f0862bb13c3adbac1a81c7f6664104f64e70eec9015036801d126288cf8bc028666b2c533ce485a45579207369ba88395025c309e0b4d087afc31d5de1ceef87413acf87b97cea400000004a036a15d080c8c8ca642326828ae369bcb50b60f467544accda64ab70fc5f491114547df1ba2b085a3da7fcbb4de8c0092acb42fa14c762a4b4553deafa827a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425029291" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000005c2646522f98d1fe38b07c9057873973604cbb8fd3a578d994f5b78ac5881b12000000000e8000000002000020000000f44eb2465f5b576cbf7ce1601a1932d65b31d9026ea92e692cc673627fddba2c200000008d84760a764f20a2a69c1f53c33ed88abc5700bb77fb23ced018323a7c7671b340000000844103c2c6b7db54e7a853f6f0988c28686abc8655a3403e85715068e5803455bc45e2693937bdfb74a08432fc33fc9f42748497116d752f859f1672694ac060 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29B03161-2ED4-11EF-BB21-6AD47596CE83} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f04efee0c2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 2364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1928 wrote to memory of 2364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1928 wrote to memory of 2364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1928 wrote to memory of 2364 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\index.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6347.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar6439.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05c83a936cb6c21087bf0fb0746e4913 |
| SHA1 | 0b58d50368c31b052453e2523161a92708250137 |
| SHA256 | d625749040d4db78b9536ccc595a3d23ada460838692e0e7230f203dad356a12 |
| SHA512 | bc819b601c9f4e35ba54c34e8d5c1b6e5c6bbce1a7fc00f668e742129ca03275dd5cf6521ef09f1adf273cf03456b639dbba7f29b60b24aed64ea22c4d97ba8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2467db9b20440767da2ac375565d56e9 |
| SHA1 | 38a47f4747bc595b3acbe5fb804fd24436046f64 |
| SHA256 | b0d6d550aaead80fbf63b2474cc2edaf7d3de44663058c83c466b859a23ca215 |
| SHA512 | 517bf74e87644e643c6a622245f4516be70af6b459511cb62094fa088cd642555b77e3fa20e04174e26dcb87e43926a19626eafd5b3aca01806a978e494a0a68 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4295938a0a2672f2caa891765ddb2527 |
| SHA1 | 7ae3137c5aecdbd9c956c0536686b0caff93afe6 |
| SHA256 | 706142530db2192e5e238572f7065b6ee698ba4fff2893398042d5a559217831 |
| SHA512 | 84d2d0a93918341f01c25f1fed244bfb34708371716865712f1331a2236b5bb4dac047a1f8635fb708f92a2eab9ea6e751677d30b10a280cd088a4ab09b4ea45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63ec796ad7722640d3acbc39af8c7c32 |
| SHA1 | 9d7a72a5bdcee24b7cd3869a2f70a1fc693bf951 |
| SHA256 | 7a89634c4ee143f33008d0980b305187a8e5bb3051c87c8aa1181f08cdcdfa73 |
| SHA512 | 01bf8daa3527af40abd3278715301573bd32a251ba61b56b2bbeaf9fd9ef189c74b2f9c2a3571ad4b215a4db94deab23f036fec71ce84f811556c29e65bbbe4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3216ebe3092595f2ff92a9b18b8b255 |
| SHA1 | 7878611436640f796b472e494f496bf2e1685e2c |
| SHA256 | 9a9b15762d64352b14997639c83b8c1bf9c5b8b692275e370588aec14a5b48af |
| SHA512 | bb2d7cc745063ab843f0df8eb9db9112cc2a976722198d512e8753ee74ede478b6b8b6cdf5a430414a31269b316e25f76c339d07a4098fec67d720bd69848afc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | deec17824c35cd6aec769a7786197d53 |
| SHA1 | 54cc7819b2721bb7f94ca22fe2fdbe8103fe2066 |
| SHA256 | feeae8e51f13729a55967e53a4c446e5916eff5b1881f63277dc12912b267819 |
| SHA512 | 31a7e19fabcc68f14b51f1101f72c6ea0254e1dd39d51f73f4b5e5a81dd51e23405a9ebd20651a7157242cdf1e5ba17f9dc6b7159209bd8c295347b0692d0dac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5869b5ee37b039fd7966c0af0bba5810 |
| SHA1 | f86200954ffcf3accf53b0b121ea0123736b6ce4 |
| SHA256 | 26a87326186334e3412c226f83bf283ea5496d162e8d560744ea862025b17b4e |
| SHA512 | b7053113747fcaf24eb11c9e0b1c5b50f33266a8a51f79930245d7ea1a7fad1bfb2333bf89c16a7607be06ee2c0fbcfb91f9957dadab97c01c8c5dc72ee5cc58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9df8815118076cd46a39c4ab454fac13 |
| SHA1 | 176123b498d473325cdfa48b9b30c0180280a049 |
| SHA256 | 3f6cf65016b48c292dbd9b8b01e5ad11ae2b4f46baac2859373b3d3d28cb43d6 |
| SHA512 | 9f56a4211e4561ad0436094928fe8391eb4900a0fc27f53a05fdd070ea87a40317f1c199b4919bd28f1b685035d0d9575173b5e4ddd5599af41e949aa0cd62fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16743fea3ce271319c8524711d82e3b6 |
| SHA1 | f6c372f10bd151b15d43799fd130ee4b73e7e50d |
| SHA256 | f21844d73eab76a303f639eaba65d4cc9fc2576bf51c39e434d4ed807602c332 |
| SHA512 | 6f6d808d4f56e2a8bcb4732ec07adeccb29d3991cb8a16ecadfe2c3c0cc76e60c02580f28f0b5864e2200c12419b3b6e00f76018661be8340eb9ff1ea9a32799 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35d3831fbb19803a1cbea5c04dc450d9 |
| SHA1 | 1bfd9b48d1fdd5cb2fdc0aea1490d0146837dbe7 |
| SHA256 | 40cb01b596cf51846348a73d37c6fd1cca1180fbca345f8f3a7103ec8eddb0d3 |
| SHA512 | 2268fbe9192e3de83e622fbb028de48d6a436e31d77bee70cda293eeb6a2de6203b4ad6642b1e77bd49075cdb89a099aac5482c54d0e178c3388f47539b336a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afd8de5b04c17dfbb8e79ee68456530e |
| SHA1 | 66e011e3c91e429232fce5b005fa3016c7823abe |
| SHA256 | f2557e263ca5f92165f6d988fa158f52971c5278728dfc6e1bc7a2d47bbcd769 |
| SHA512 | 98df8955d394140aef78f1c59085276c79be46df3398aecbc1559f4a29e4d9af3c4d197068eb788a916c297878ffba8f6e54a59ca60dd344143e00077c365ad2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6214df16bb4ffacdcd1d9bd07c9b662 |
| SHA1 | 1b77418c61e7bfe8fab133ebb7353e6c99d00869 |
| SHA256 | 10a6245421cf027c3a9eee65509439861351b0aee93eacfbeab16848f176b53f |
| SHA512 | 46e50f720f6473890de92606ac83c1fcfeb2475eae5cc6a2d6a37c6289e1b5caee83c42d072e29fc5765fa01e1d49cad4defe8aac93772abd060273254178287 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19da22e8b5b90d7d6e6d2d30baf02aac |
| SHA1 | a24edd64d533e6e579e7782d7e479675ccd75ea5 |
| SHA256 | de9e1dd8a6d7825df23a4d43333c4100ce2c124603469d539c9bd34618d54090 |
| SHA512 | d14183e41a9bee8283fe18abf49d45010d2255fa756e6b495b598fb3cb7627fe6c40307cd350ac4dd242d1d32425faf38a53843fdf1dfd8487da286a43fdd431 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d49f163e2c2813fdeb18e7ed92b6e742 |
| SHA1 | 24929b8a44497d4dd55e289fbf32eb18bc3d2446 |
| SHA256 | e60127ba9c392d2e57787b9608911405b7e0cbe1fca043676ca576a09ffba35d |
| SHA512 | 562ab21878508f10a89e19f349070f8bcba68eee12153fe9ce0cfeaa013fbb7029dcb50c152626928c729e005fb3c433c4c73c5cae92177e942c91db3316b521 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc7da67c72bff8c062b1772b0defeeba |
| SHA1 | 64e286465a35b589132974602e8cf51c43d0aa33 |
| SHA256 | fcfbbfc3cc69dfebae67d8576a0de99ddd1ff7ef5340cd59a1cf4dfbeca5582f |
| SHA512 | f0899037b69f510e6cd3f82ae01b7ca5c08698d6f3971b393c3b3f8f3853d96061da685eeb5717f7b483c89be3ddc90939feee417288f658f6e46afacb2db33d |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240508-en
Max time kernel
47s
Max time network
67s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\main.js"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 860 wrote to memory of 1888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 860 wrote to memory of 1888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 860 wrote to memory of 1888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240611-en
Max time kernel
121s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.url"
Network
Files
memory/2392-0-0x0000000001D80000-0x0000000001D81000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:14
Platform
win10v2004-20240226-en
Max time kernel
104s
Max time network
220s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
143s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240611-en
Max time kernel
120s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2888 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240508-en
Max time kernel
121s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 220
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240508-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240508-en
Max time kernel
122s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:14
Platform
win7-20240611-en
Max time kernel
7s
Max time network
35s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-20 07:04
Reported
2024-06-20 07:13
Platform
win7-20240508-en
Max time kernel
122s
Max time network
140s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"