Malware Analysis Report

2024-11-30 13:04

Sample ID 240620-hv8ycavflc
Target The.Coffin.of.Andy.and.Leyley.v2.0.12.zip
SHA256 e6dc3469212702ad968863b5d47a0bb9b121818dc7dca2aae309537b918ce76b
Tags
execution pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e6dc3469212702ad968863b5d47a0bb9b121818dc7dca2aae309537b918ce76b

Threat Level: Shows suspicious behavior

The file The.Coffin.of.Andy.and.Leyley.v2.0.12.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution pyinstaller

Loads dropped DLL

Program crash

Detects Pyinstaller

Command and Scripting Interpreter: JavaScript

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 07:06

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

156s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.url"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

156s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 4932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 4932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 612

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240508-en

Max time kernel

122s

Max time network

138s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\main.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\main.js"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 79.242.123.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240221-en

Max time kernel

118s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 220

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20231129-en

Max time kernel

120s

Max time network

131s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240221-en

Max time kernel

121s

Max time network

136s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\libs\pixi.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\libs\pixi.js"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

66s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\libs\pixi.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\libs\pixi.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20231129-en

Max time kernel

119s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe

"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"

C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe

"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI11082\python311.dll

MD5 e2bd5ae53427f193b42d64b8e9bf1943
SHA1 7c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256 c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512 ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:14

Platform

win10v2004-20240226-en

Max time kernel

100s

Max time network

219s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe

"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"

C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe

"C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.exe"

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI25642\python311.dll

MD5 e2bd5ae53427f193b42d64b8e9bf1943
SHA1 7c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256 c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512 ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

C:\Users\Admin\AppData\Local\Temp\_MEI25642\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI25642\base_library.zip

MD5 ebb4f1a115f0692698b5640869f30853
SHA1 9ba77340a6a32af08899e7f3c97841724dd78c3f
SHA256 4ab0deb6a298d14a0f50d55dc6ce5673b6c5320817ec255acf282191642a4576
SHA512 3f6ba7d86c9f292344f4ad196f4ae863bf936578dd7cfac7dc4aaf05c2c78e68d5f813c4ed36048b6678451f1717deeb77493d8557ee6778c6a70beb5294d21a

C:\Users\Admin\AppData\Local\Temp\_MEI25642\loctool.pyd

MD5 9e89b90be4b88466a5e0030001641ed4
SHA1 88624631ce068d51f92e6341ddcd67f82ce88b2c
SHA256 73ca053f244c614ee1a91a07a52f20f48a94c37be25facc527a9777960a1e55d
SHA512 d60ab780f8082795a566f1377a9f13c00f9a52250d7309fc44bb84e97c008c7b97dfe78877ab565df4880476cfbec0edd42cadb2487b05f86a7d3f26a98f7d67

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl86t.dll

MD5 ac6cd2fb2cd91780db186b8d6e447b7c
SHA1 b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a
SHA256 a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6
SHA512 45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk86t.dll

MD5 499fa3dea045af56ee5356c0ce7d6ce2
SHA1 0444b7d4ecd25491245824c17b84916ee5b39f74
SHA256 20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94
SHA512 d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\encoding\cp1252.enc

MD5 e9117326c06fee02c478027cb625c7d8
SHA1 2ed4092d573289925a5b71625cf43cc82b901daf
SHA256 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512 d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

C:\Users\Admin\AppData\Local\Temp\_MEI25642\_tkinter.pyd

MD5 6352db60d88705ce62b5665764529006
SHA1 e7a22fd590661e91dfe5cace1adff17d7a3de5ec
SHA256 4536d9092a366426aa01e1800d9d4de669928bbcb277f2363d54df44da096c31
SHA512 78b19668c82aef75dcdf98fd0b90677f3530cb7e80dc7cfec5640637fecb3e5d4fb38c21051fc305133882d26c6f8ecb03825227a3d66c5045b968bdc624bd2c

C:\Users\Admin\AppData\Local\Temp\_MEI25642\_bz2.pyd

MD5 a62207fc33140de460444e191ae19b74
SHA1 9327d3d4f9d56f1846781bcb0a05719dea462d74
SHA256 ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2
SHA512 90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

C:\Users\Admin\AppData\Local\Temp\_MEI25642\_lzma.pyd

MD5 0c7ea68ca88c07ae6b0a725497067891
SHA1 c2b61a3e230b30416bc283d1f3ea25678670eb74
SHA256 f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11
SHA512 fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

C:\Users\Admin\AppData\Local\Temp\_MEI25642\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI25642\_hashlib.pyd

MD5 787b82d4466f393366657b8f1bc5f1a9
SHA1 658639cddda55ac3bfc452db4ec9cf88851e606b
SHA256 241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37
SHA512 afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\init.tcl

MD5 982eae7a49263817d83f744ffcd00c0e
SHA1 81723dfea5576a0916abeff639debe04ce1d2c83
SHA256 331bcf0f9f635bd57c3384f2237260d074708b0975c700cfcbdb285f5f59ab1f
SHA512 31370d8390c4608e7a727eed9ee7f4c568ecb913ae50184b6f105da9c030f3b9f4b5f17968d8975b2f60df1b0c5e278512e74267c935fe4ec28f689ac6a97129

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\auto.tcl

MD5 08edf746b4a088cb4185c165177bd604
SHA1 395cda114f23e513eef4618da39bb86d034124bf
SHA256 517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c
SHA512 c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\tclIndex

MD5 c62fb22f4c9a3eff286c18421397aaf4
SHA1 4a49b8768cff68f2effaf21264343b7c632a51b2
SHA256 ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89
SHA512 558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\tm.tcl

MD5 215262a286e7f0a14f22db1aa7875f05
SHA1 66b942ba6d3120ef8d5840fcdeb06242a47491ff
SHA256 4b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f
SHA512 6ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\fonts.tcl

MD5 80331fcbe4c049ff1a0d0b879cb208de
SHA1 4eb3efdfe3731bd1ae9fd52ce32b1359241f13cf
SHA256 b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b
SHA512 a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\ttk.tcl

MD5 af45b2c8b43596d1bdeca5233126bd14
SHA1 a99e75d299c4579e10fcdd59389b98c662281a26
SHA256 2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b
SHA512 c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\text.tcl

MD5 7c2ac370de0b941ae13572152419c642
SHA1 7598cc20952fa590e32da063bf5c0f46b0e89b15
SHA256 4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e
SHA512 8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\spinbox.tcl

MD5 77dfe1baccd165a0c7b35cdeaa2d1a8c
SHA1 426ba77fc568d4d3a6e928532e5beb95388f36a0
SHA256 2ff791a44406dc8339c7da6116e6ec92289bee5fc1367d378f48094f4abea277
SHA512 e56db85296c8661ab2ea0a56d9810f1a4631a9f9b41337560cbe38ccdf7dd590a3e65c22b435ce315eff55ee5b8e49317d4e1b7577e25fc3619558015dd758eb

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\scrlbar.tcl

MD5 5249cd1e97e48e3d6dec15e70b9d7792
SHA1 612e021ba25b5e512a0dfd48b6e77fc72894a6b9
SHA256 eec90404f702d3cfbfaec0f13bf5ed1ebeb736bee12d7e69770181a25401c61f
SHA512 e4e0ab15eb9b3118c30cd2ff8e5af87c549eaa9b640ffd809a928d96b4addefb9d25efdd1090fbd0019129cdf355bb2f277bc7194001ba1d2ed4a581110ceafc

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\scale.tcl

MD5 857add6060a986063b0ed594f6b0cd26
SHA1 b1981d33ddea81cfffa838e5ac80e592d9062e43
SHA256 0da2dc955ffd71062a21c3b747d9d59d66a5b09a907b9ed220be1b2342205a05
SHA512 7d9829565efc8cdbf9249913da95b02d8dadfdb3f455fd3c10c5952b5454fe6e54d95c07c94c1e0d7568c9742caa56182b3656e234452aec555f0fcb76a59fb1

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\panedwindow.tcl

MD5 286c01a1b12261bc47f5659fd1627abd
SHA1 4ca36795cab6dfe0bbba30bb88a2ab71a0896642
SHA256 aa4f87e41ac8297f51150f2a9f787607690d01793456b93f0939c54d394731f9
SHA512 d54d5a89b7408a9724a1ca1387f6473bdad33885194b2ec5a524c7853a297fd65ce2a57f571c51db718f6a00dce845de8cf5f51698f926e54ed72cdc81bcfe54

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\menu.tcl

MD5 078782cd05209012a84817ac6ef11450
SHA1 dba04f7a6cf34c54a961f25e024b6a772c2b751d
SHA256 d1283f67e435aab0bdbe9fdaa540a162043f8d652c02fe79f3843a451f123d89
SHA512 79a031f7732aee6e284cd41991049f1bb715233e011562061cd3405e5988197f6a7fb5c2bbddd1fb9b7024047f6003a2bf161fc0ec04876eff5335c3710d9562

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\listbox.tcl

MD5 804e6dce549b2e541986c0ce9e75e2d1
SHA1 c44ee09421f127cf7f4070a9508f22709d06d043
SHA256 47c75f9f8348bf8f2c086c57b97b73741218100ca38d10b8abdf2051c95b9801
SHA512 029426c4f659848772e6bb1d8182eb03d2b43adf68fcfcc1ea1c2cc7c883685deda3fffda7e071912b9bda616ad7af2e1cb48ce359700c1a22e1e53e81cae34b

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\entry.tcl

MD5 f109865c52d1fd602e2d53e559e56c22
SHA1 5884a3bb701c27ba1bf35c6add7852e84d73d81f
SHA256 af1de90270693273b52fc735da6b5cd5ca794f5afd4cf03ffd95147161098048
SHA512 b2f92b0ac03351cdb785d3f7ef107b61252398540b5f05f0cc9802b4d28b882ba6795601a68e88d3abc53f216b38f07fcc03660ab6404cf6685f6d80cc4357fc

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\button.tcl

MD5 aeb53f7f1506cdfdfe557f54a76060ce
SHA1 ebb3666ee444b91a0d335da19c8333f73b71933b
SHA256 1f5dd8d81b26f16e772e92fd2a22accb785004d0ed3447e54f87005d9c6a07a5
SHA512 acdad4df988df6b2290fc9622e8eaccc31787fecdc98dcca38519cb762339d4d3fb344ae504b8c7918d6f414f4ad05d15e828df7f7f68f363bec54b11c9b7c43

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\icons.tcl

MD5 995a0a8f7d0861c268aead5fc95a42ea
SHA1 21e121cf85e1c4984454237a646e58ec3c725a72
SHA256 1264940e62b9a37967925418e9d0dc0befd369e8c181b9bab3d1607e3cc14b85
SHA512 db7f5e0bc7d5c5f750e396e645f50a3e0cde61c9e687add0a40d0c1aa304ddfbceeb9f33ad201560c6e2b051f2eded07b41c43d00f14ee435cdeee73b56b93c7

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\opt0.4\pkgIndex.tcl

MD5 07532085501876dcc6882567e014944c
SHA1 6bc7a122429373eb8f039b413ad81c408a96cb80
SHA256 6a4abd2c519a745325c26fb23be7bbf95252d653a24806eb37fd4aa6a6479afe
SHA512 0d604e862f3a1a19833ead99aaf15a9f142178029ab64c71d193cee4901a0196c1eeddc2bce715b7fa958ac45c194e63c77a71e4be4f9aedfd5b44cf2a726e76

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\http1.0\pkgIndex.tcl

MD5 a387908e2fe9d84704c2e47a7f6e9bc5
SHA1 f3c08b3540033a54a59cb3b207e351303c9e29c6
SHA256 77265723959c092897c2449c5b7768ca72d0efcd8c505bddbb7a84f6aa401339
SHA512 7ac804d23e72e40e7b5532332b4a8d8446c6447bb79b4fe32402b13836079d348998ea0659802ab0065896d4f3c06f5866c6b0d90bf448f53e803d8c243bbc63

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\pkgIndex.tcl

MD5 3367ce12a4ba9baaf7c5127d7412aa6a
SHA1 865c775bb8f56c3c5dfc8c71bfaf9ef58386161d
SHA256 3f2539e85e2a9017913e61fe2600b499315e1a6f249a4ff90e0b530a1eeb8898
SHA512 f5d858f17fe358762e8fdbbf3d78108dba49be5c5ed84b964143c0adce76c140d904cd353646ec0831ff57cd0a0af864d1833f3946a235725fff7a45c96872eb

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl\package.tcl

MD5 ddb0ab9842b64114138a8c83c4322027
SHA1 eccacdc2ccd86a452b21f3cf0933fd41125de790
SHA256 f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948
SHA512 c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tcl8\8.5\msgcat-1.6.1.tm

MD5 bd4ff2a1f742d9e6e699eeee5e678ad1
SHA1 811ad83aff80131ba73abc546c6bd78453bf3eb9
SHA256 6774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb
SHA512 b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\cursors.tcl

MD5 18ec3e60b8dd199697a41887be6ce8c2
SHA1 13ff8ce95289b802a5247b1fd9dea90d2875cb5d
SHA256 7a2ed9d78fabcafff16694f2f4a2e36ff5aa313f912d6e93484f3bcd0466ad91
SHA512 4848044442efe75bcf1f89d8450c8ecbd441f38a83949a3cd2a56d9000cacaa2ea440ca1b32c856ab79358ace9c7e3f70ddf0ec54aa93866223d8fef76930b19

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\tk.tcl

MD5 338184e46bd23e508daedbb11a4f0950
SHA1 437db31d487c352472212e8791c8252a1412cb0e
SHA256 0f617d96cbf213296d7a5f7fcffbb4ae1149840d7d045211ef932e8dd66683e9
SHA512 8fb8a353eecd0d19638943f0a9068dccebf3fb66d495ea845a99a89229d61a77c85b530f597fd214411202055c1faa9229b6571c591c9f4630490e1eb30b9cd3

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\combobox.tcl

MD5 f7065d345a4bfb3127c3689bf1947c30
SHA1 9631c05365b0f5a36e4ca5cba83628ccd7fcbde1
SHA256 68eed4af6d2ec5b3ea24b1122a704b040366cbe2f458103137479352ffa1475a
SHA512 74b99b9e326680150dd5ec7263192691bcd8a71b2a4ee7f3177deddd43e924a7925085c6d372731a70570f96b3924450255b2f54ca3b9c44d1160ca37e715b00

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\entry.tcl

MD5 89089172393c551cd1668b9c19b88290
SHA1 0b8667217a4a14289e9f6c1b384def5479bca089
SHA256 830cc3009a735e92db70d53210c4928dd35caab5051ed14dec67e06ae25cbe28
SHA512 abbbe6aa937aab392bc7dcb8bbfbbec9ee5ed2c9f10ed982d77258bd98f27ee95ac47fd7cb6761b814885ef0878e1f1557d034c9f4163d9d85b388f2b837683f

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\panedwindow.tcl

MD5 619d8f54ee73ad8a373ab272fbdb94a6
SHA1 973626b5396b7e786dedd8159d10e66b4465f9e0
SHA256 4d08a7e29eef731876951ef01dfa51654b6275fa3daadb1f48ff4bbeac238eb5
SHA512 0d913c7dc9daee2b4a2a46663a07b3139d6b8f30d2f942642817504535e85616835eaa7d468851a83723a3dd711b65761376f3df96a59a933a74ef096e13ace9

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\notebook.tcl

MD5 f811f3e46a4efa73292f40d1cddd265d
SHA1 7fc70a1984555672653a0840499954b854f27920
SHA256 22264d8d138e2c0e9a950305b4f08557c5a73f054f8215c0d8ce03854042be76
SHA512 4424b7c687eb9b1804ed3b1c685f19d4d349753b374d9046240f937785c9713e8a760ada46cb628c15f9c7983ce4a7987691c968330478c9c1a9b74e953e40ac

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\progress.tcl

MD5 dbf3bf0e8f04e9435e9561f740dfc700
SHA1 c7619a05a834efb901c57dcfec2c9e625f42428f
SHA256 697cc0a75ae31fe9c2d85fb25dca0afa5d0df9c523a2dfad2e4a36893be75fba
SHA512 d3b323dfb3eac4a78da2381405925c131a99c6806af6fd8041102162a44e48bf166982a4ae4aa142a14601736716f1a628d9587e292fa8e4842be984374cc192

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\scale.tcl

MD5 f1c33cc2d47115bbecd2e7c2fcb631a7
SHA1 0123a961242ed8049b37c77c726db8dbd94c1023
SHA256 b909add0b87fa8ee08fd731041907212a8a0939d37d2ff9b2f600cd67dabd4bb
SHA512 96587a8c3555da1d810010c10c516ce5ccab071557a3c8d9bd65c647c7d4ad0e35cbed0788f1d72bafac8c84c7e2703fc747f70d9c95f720745a1fc4a701c544

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\scrollbar.tcl

MD5 3fb31a225cec64b720b8e579582f2749
SHA1 9c0151d9e2543c217cf8699ff5d4299a72e8f13c
SHA256 6eaa336b13815a7fc18bcd6b9adf722e794da2888d053c229044784c8c8e9de8
SHA512 e6865655585e3d2d6839b56811f3fd86b454e8cd44e258bb1ac576ad245ff8a4d49fbb7f43458ba8a6c9daac8dfa923a176f0dd8a9976a11bea09e6e2d17bf45

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\menubutton.tcl

MD5 4c8d90257d073f263b258f00b2a518c2
SHA1 7b58859e9b70fb37f53809cd3ffd7cf69ab310d8
SHA256 972b13854d0e9b84de338d6753f0f11f3a8534e7d0e51838796dae5a1e2e3085
SHA512 ed67f41578ee834ee8db1fded8aa069c0045e7058e338c451fa8e1ade52907bed0c95631c21b8e88461571903b3da2698a29e47f990b7a0f0dd3073e7a1bcadc

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\button.tcl

MD5 d4bf1af5dcdd85e3bd11dbf52eb2c146
SHA1 b1691578041319e671d31473a1dd404855d2038b
SHA256 e38a9d1f437981aa6bf0bdd074d57b769a4140c0f7d9aff51743fe4ecc6dfddf
SHA512 25834b4b231f4ff1a88eef67e1a102d1d0546ec3b0d46856258a6be6bbc4b381389c28e2eb60a01ff895df24d6450cd16ca449c71f82ba53ba438a4867a47dcd

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\utils.tcl

MD5 d98edc491da631510f124cd3934f535f
SHA1 33037a966067c9f5c9074ae5532ff3b51b4082d4
SHA256 d58610a34301bb6e61a60bec69a7cecf4c45c6a034a9fc123977174b586278be
SHA512 23faed8298e561f490997fe44ab61cd8ccb9f1f63d48bb4cf51fc9e591e463ff9297973622180d6a599cabb541c82b8fe33bf38a82c5d5905bbfa52ca0341399

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\defaults.tcl

MD5 fc79f42761d63172163c08f0f5c94436
SHA1 aabab4061597d0d6dc371f46d14aaa1a859096df
SHA256 49ae8faf169165bddaf01d50b52943ebab3656e9468292b7890be143d0fcbc91
SHA512 f619834a95c9deb93f8184bcc437d701a961c77e24a831adbd5c145556d26986bfda2a6acb9e8784f8b2380e122d12ac893eb1b6acf03098922889497e1ff9ea

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\sizegrip.tcl

MD5 dd6a1737b14d3f7b2a0b4f8be99c30af
SHA1 e6b06895317e73cd3dc78234dd74c74f3db8c105
SHA256 e92d77b5cdca2206376db2129e87e3d744b3d5e31fde6c0bbd44a494a6845ce1
SHA512 b74ae92edd53652f8a3db0d84c18f9ce9069805bcab0d3c2dbb537d7c241aa2681da69b699d88a10029798d7b5bc015682f64699ba475ae6a379eef23b48daaf

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\treeview.tcl

MD5 f705b3a292d02061da0abb4a8dd24077
SHA1 fd75c2250f6f66435444f7deef383c6397ed2368
SHA256 c88b60ffb0f72e095f6fc9786930add7f9ed049eabc713f889f9a7da516e188c
SHA512 09817638dd3d3d5c57fa630c7edf2f19c3956c9bd264dbf07627fa14a03aecd22d5a5319806e49ef1030204fadef17c57ce8eae4378a319ad2093321d9151c8f

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\spinbox.tcl

MD5 9c2833faa9248f09bc2e6ab1ba326d59
SHA1 f13cf048fd706bbb1581dc80e33d1aad910d93e8
SHA256 df286bb59f471aa1e19df39af0ef7aa84df9f04dc4a439a747dd8ba43c300150
SHA512 5ff3be1e3d651c145950c3fc5b8c2e842211c937d1042173964383d4d59ecf5dd0ec39ff7771d029716f2d895f0b1a72591ef3bf7947fe64d4d6db5f0b8abffb

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\xpTheme.tcl

MD5 162f30d2716438c75ea16b57e6f63088
SHA1 3f626ff0496bb16b27106bed7e38d1c72d1e3e27
SHA256 aedb21c6b2909a4bb4686837d2126e521a8cc2b38414a4540387b801ebd75466
SHA512 6ebf9648f1381d04f351bb469b6e3a38f3d002189c92eaf80a18d65632037ff37d34ec8814bbf7fae34553645bfc13985212f24684ee8c4e205729b975c88c97

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\winTheme.tcl

MD5 769c0719a4044f91e7d132a25291e473
SHA1 6fb07b0c887d443a43fb15d5728920b578171219
SHA256 ae82bccce708ff9c303cbcb3d4cc3ff5577a60d5b23822ea79e3e07cce3cbbd1
SHA512 47fed061ddc6b4eb63ef77901d0094ff2ebb1bafacb3f44fbf13fb59dea1ec83985b2862086ecf1a7957819a88a0faa144b35f16bea9356bbd9775070d42e636

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\clamTheme.tcl

MD5 2b20e7b2e6bddbeb14f5f63bf38dbf24
SHA1 43db48094c4bd7de3b76afbc051d887fefe9887e
SHA256 cffc59931fdd1683ad23895e92522cf49b099128753fcdff34374024e42cf995
SHA512 1eb5ea78d26d18ead6563afbf1798f71723001dcc945e7db3e4368564d0563029be3565876ad8cb97331cfe34b2a0a313fa1bf252b87049160fe5dcd65434775

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\altTheme.tcl

MD5 01f28512e10acbddf93ae2bb29e343bc
SHA1 c9cf23d6315218b464061f011e4a9dc8516c8f1f
SHA256 ae0437fb4e0ebd31322e4eaca626c12abde602da483bb39d0c5ee1bc00ab0af4
SHA512 fe3bae36ddb67f6d7a90b7a91b6ec1a009cf26c0167c46635e5a9ceaec9083e59ddf74447bf6f60399657ee9604a2314b170f78a921cf948b2985ddf02a89da6

C:\Users\Admin\AppData\Local\Temp\_MEI25642\tk\ttk\classicTheme.tcl

MD5 0205663142775f4ef2eb104661d30979
SHA1 452a0d613288a1cc8a1181c3cc1167e02aa69a73
SHA256 424bba4fb6836feebe34f6c176ed666dce51d2fba9a8d7aa756abcbbad3fc1e3
SHA512 fb4d212a73a6f5a8d2774f43d310328b029b52b35bee133584d8326363b385ab7aa4ae25e98126324cc716962888321e0006e5f6ef8563919a1d719019b2d117

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240611-en

Max time kernel

120s

Max time network

133s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240611-en

Max time kernel

132s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

Country Destination Domain Proto
US 20.189.173.13:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

160s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\index.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 1360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3536 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\index.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffcaab846f8,0x7ffcaab84708,0x7ffcaab84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4392 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x52c 0x530

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,11111530245476341283,15889036482240277412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_3536_YXBXHNABGTLJIPUO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ddc8d1dc1ad3c3f176820efe5b76882c
SHA1 4f863175dd7829fd80d8ce9faf7747e3564bfcd7
SHA256 f9e2be51bc0b4221eabf9d11f4c0159fda8d68b505ef7ab87d65b2348d2797af
SHA512 6476723f5528b1bc6aea6aef64da300d11b6584795f61b309247f6799fe05116fb15c2d0f58aefc65fdd1a2fd6a52d09367eb328352d7dd652b8c009a245ed9c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a09d270e0a494122e5a6eaaf6a016d3d
SHA1 f104683f147b289c9f60390bc34ec01ccb4e2dd5
SHA256 fefd768f4a6e9067a20455a00da37d901d217986001f7a5cc59ffabaceb9bf13
SHA512 70b47ec0add2f727f9031c4288fb0e41032d9313ee9d7fc6eaa69432e9222b082577a7b2afbf0bbd2e410f3bdfc1f698880e90c454c50e3f0a34506e001f083d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7dd328d2d4f6f918e711e097ddc02ef5
SHA1 bd9bbfe42098b9f80b2f2feebfe45fb709f71877
SHA256 e559748dea8c85f3e62f7786880ac61259029a71d414ba347c7f8cdbb1ddda31
SHA512 820d4e74f8c63d9f2ac75931d1846e37b4b5a7d57ba93e32ddc62fd4458526a503573cc80c23bb1b190102cf871749fdcc045472d80aa42c5cc40a614b8be5b4

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20231129-en

Max time kernel

119s

Max time network

131s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

156s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 4460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 4460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 4460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240419-en

Max time kernel

120s

Max time network

133s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

64s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240508-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\index.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000009c7ed1e9209081e1ff0caa23f0a5a3a58325a9cc105bdebc3a1cb16824020772000000000e8000000002000020000000a2c9e9be6eb4b942f8b4b67f9283da41179392c635ef5ca389e6cc6faf081c27900000001e19299ec8c97c73fefa3dee647392d1e11f9f9ab4c8682ef5b13f6dd1d856593888bce277b75f0118f3cb75affd3e2d65f4001ae869ac321124e9f8361474630af990aaed45c2f8e7f0862bb13c3adbac1a81c7f6664104f64e70eec9015036801d126288cf8bc028666b2c533ce485a45579207369ba88395025c309e0b4d087afc31d5de1ceef87413acf87b97cea400000004a036a15d080c8c8ca642326828ae369bcb50b60f467544accda64ab70fc5f491114547df1ba2b085a3da7fcbb4de8c0092acb42fa14c762a4b4553deafa827a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425029291" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000005c2646522f98d1fe38b07c9057873973604cbb8fd3a578d994f5b78ac5881b12000000000e8000000002000020000000f44eb2465f5b576cbf7ce1601a1932d65b31d9026ea92e692cc673627fddba2c200000008d84760a764f20a2a69c1f53c33ed88abc5700bb77fb23ced018323a7c7671b340000000844103c2c6b7db54e7a853f6f0988c28686abc8655a3403e85715068e5803455bc45e2693937bdfb74a08432fc33fc9f42748497116d752f859f1672694ac060 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29B03161-2ED4-11EF-BB21-6AD47596CE83} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f04efee0c2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\index.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6347.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6439.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05c83a936cb6c21087bf0fb0746e4913
SHA1 0b58d50368c31b052453e2523161a92708250137
SHA256 d625749040d4db78b9536ccc595a3d23ada460838692e0e7230f203dad356a12
SHA512 bc819b601c9f4e35ba54c34e8d5c1b6e5c6bbce1a7fc00f668e742129ca03275dd5cf6521ef09f1adf273cf03456b639dbba7f29b60b24aed64ea22c4d97ba8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2467db9b20440767da2ac375565d56e9
SHA1 38a47f4747bc595b3acbe5fb804fd24436046f64
SHA256 b0d6d550aaead80fbf63b2474cc2edaf7d3de44663058c83c466b859a23ca215
SHA512 517bf74e87644e643c6a622245f4516be70af6b459511cb62094fa088cd642555b77e3fa20e04174e26dcb87e43926a19626eafd5b3aca01806a978e494a0a68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4295938a0a2672f2caa891765ddb2527
SHA1 7ae3137c5aecdbd9c956c0536686b0caff93afe6
SHA256 706142530db2192e5e238572f7065b6ee698ba4fff2893398042d5a559217831
SHA512 84d2d0a93918341f01c25f1fed244bfb34708371716865712f1331a2236b5bb4dac047a1f8635fb708f92a2eab9ea6e751677d30b10a280cd088a4ab09b4ea45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63ec796ad7722640d3acbc39af8c7c32
SHA1 9d7a72a5bdcee24b7cd3869a2f70a1fc693bf951
SHA256 7a89634c4ee143f33008d0980b305187a8e5bb3051c87c8aa1181f08cdcdfa73
SHA512 01bf8daa3527af40abd3278715301573bd32a251ba61b56b2bbeaf9fd9ef189c74b2f9c2a3571ad4b215a4db94deab23f036fec71ce84f811556c29e65bbbe4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3216ebe3092595f2ff92a9b18b8b255
SHA1 7878611436640f796b472e494f496bf2e1685e2c
SHA256 9a9b15762d64352b14997639c83b8c1bf9c5b8b692275e370588aec14a5b48af
SHA512 bb2d7cc745063ab843f0df8eb9db9112cc2a976722198d512e8753ee74ede478b6b8b6cdf5a430414a31269b316e25f76c339d07a4098fec67d720bd69848afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 deec17824c35cd6aec769a7786197d53
SHA1 54cc7819b2721bb7f94ca22fe2fdbe8103fe2066
SHA256 feeae8e51f13729a55967e53a4c446e5916eff5b1881f63277dc12912b267819
SHA512 31a7e19fabcc68f14b51f1101f72c6ea0254e1dd39d51f73f4b5e5a81dd51e23405a9ebd20651a7157242cdf1e5ba17f9dc6b7159209bd8c295347b0692d0dac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5869b5ee37b039fd7966c0af0bba5810
SHA1 f86200954ffcf3accf53b0b121ea0123736b6ce4
SHA256 26a87326186334e3412c226f83bf283ea5496d162e8d560744ea862025b17b4e
SHA512 b7053113747fcaf24eb11c9e0b1c5b50f33266a8a51f79930245d7ea1a7fad1bfb2333bf89c16a7607be06ee2c0fbcfb91f9957dadab97c01c8c5dc72ee5cc58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9df8815118076cd46a39c4ab454fac13
SHA1 176123b498d473325cdfa48b9b30c0180280a049
SHA256 3f6cf65016b48c292dbd9b8b01e5ad11ae2b4f46baac2859373b3d3d28cb43d6
SHA512 9f56a4211e4561ad0436094928fe8391eb4900a0fc27f53a05fdd070ea87a40317f1c199b4919bd28f1b685035d0d9575173b5e4ddd5599af41e949aa0cd62fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16743fea3ce271319c8524711d82e3b6
SHA1 f6c372f10bd151b15d43799fd130ee4b73e7e50d
SHA256 f21844d73eab76a303f639eaba65d4cc9fc2576bf51c39e434d4ed807602c332
SHA512 6f6d808d4f56e2a8bcb4732ec07adeccb29d3991cb8a16ecadfe2c3c0cc76e60c02580f28f0b5864e2200c12419b3b6e00f76018661be8340eb9ff1ea9a32799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35d3831fbb19803a1cbea5c04dc450d9
SHA1 1bfd9b48d1fdd5cb2fdc0aea1490d0146837dbe7
SHA256 40cb01b596cf51846348a73d37c6fd1cca1180fbca345f8f3a7103ec8eddb0d3
SHA512 2268fbe9192e3de83e622fbb028de48d6a436e31d77bee70cda293eeb6a2de6203b4ad6642b1e77bd49075cdb89a099aac5482c54d0e178c3388f47539b336a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afd8de5b04c17dfbb8e79ee68456530e
SHA1 66e011e3c91e429232fce5b005fa3016c7823abe
SHA256 f2557e263ca5f92165f6d988fa158f52971c5278728dfc6e1bc7a2d47bbcd769
SHA512 98df8955d394140aef78f1c59085276c79be46df3398aecbc1559f4a29e4d9af3c4d197068eb788a916c297878ffba8f6e54a59ca60dd344143e00077c365ad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6214df16bb4ffacdcd1d9bd07c9b662
SHA1 1b77418c61e7bfe8fab133ebb7353e6c99d00869
SHA256 10a6245421cf027c3a9eee65509439861351b0aee93eacfbeab16848f176b53f
SHA512 46e50f720f6473890de92606ac83c1fcfeb2475eae5cc6a2d6a37c6289e1b5caee83c42d072e29fc5765fa01e1d49cad4defe8aac93772abd060273254178287

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19da22e8b5b90d7d6e6d2d30baf02aac
SHA1 a24edd64d533e6e579e7782d7e479675ccd75ea5
SHA256 de9e1dd8a6d7825df23a4d43333c4100ce2c124603469d539c9bd34618d54090
SHA512 d14183e41a9bee8283fe18abf49d45010d2255fa756e6b495b598fb3cb7627fe6c40307cd350ac4dd242d1d32425faf38a53843fdf1dfd8487da286a43fdd431

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d49f163e2c2813fdeb18e7ed92b6e742
SHA1 24929b8a44497d4dd55e289fbf32eb18bc3d2446
SHA256 e60127ba9c392d2e57787b9608911405b7e0cbe1fca043676ca576a09ffba35d
SHA512 562ab21878508f10a89e19f349070f8bcba68eee12153fe9ce0cfeaa013fbb7029dcb50c152626928c729e005fb3c433c4c73c5cae92177e942c91db3316b521

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc7da67c72bff8c062b1772b0defeeba
SHA1 64e286465a35b589132974602e8cf51c43d0aa33
SHA256 fcfbbfc3cc69dfebae67d8576a0de99ddd1ff7ef5340cd59a1cf4dfbeca5582f
SHA512 f0899037b69f510e6cd3f82ae01b7ca5c08698d6f3971b393c3b3f8f3853d96061da685eeb5717f7b483c89be3ddc90939feee417288f658f6e46afacb2db33d

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

67s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\main.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\www\js\main.js"

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 860 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 860 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240611-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.url"

Network

N/A

Files

memory/2392-0-0x0000000001D80000-0x0000000001D81000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:14

Platform

win10v2004-20240226-en

Max time kernel

104s

Max time network

220s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

143s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240611-en

Max time kernel

120s

Max time network

134s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and Leyley\swiftshader\libEGL.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240508-en

Max time kernel

121s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 220

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240508-en

Max time kernel

121s

Max time network

135s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240508-en

Max time kernel

122s

Max time network

134s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:14

Platform

win7-20240611-en

Max time kernel

7s

Max time network

35s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-20 07:04

Reported

2024-06-20 07:13

Platform

win7-20240508-en

Max time kernel

122s

Max time network

140s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\The.Coffin.of.Andy.and.Leyley.v2.0.12\The.Coffin.of.Andy.and.Leyley.v2.0.12\The Coffin of Andy and L.js"

Network

N/A

Files

N/A