Malware Analysis Report

2024-10-18 22:17

Sample ID 240626-mja96atakj
Target 96229d47f3f7edff90b2e8d8f104da4eb48fd59baafd028352d37298af0d42f5
SHA256 96229d47f3f7edff90b2e8d8f104da4eb48fd59baafd028352d37298af0d42f5
Tags
qr link upx evasion trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

96229d47f3f7edff90b2e8d8f104da4eb48fd59baafd028352d37298af0d42f5

Threat Level: Shows suspicious behavior

The file 96229d47f3f7edff90b2e8d8f104da4eb48fd59baafd028352d37298af0d42f5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link upx evasion trojan

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 10:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 10:29

Reported

2024-06-26 10:31

Platform

win7-20240419-en

Max time kernel

128s

Max time network

131s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\_____.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1ADA721-33A6-11EF-ACD5-DECBF2EBC4E5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425559625" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\_____.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.aichunjing.com udp
HK 43.155.96.87:80 www.aichunjing.com tcp
HK 43.155.96.87:80 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
CN 117.27.246.196:80 ocsp.trust-provider.cn tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 hm.baidu.com udp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 140.249.150.23:80 ocsp.trust-provider.cn tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 36.248.38.196:80 ocsp.trust-provider.cn tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
CN 183.201.243.134:80 ocsp.trust-provider.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 112.50.95.196:80 ocsp.trust-provider.cn tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp

Files

memory/992-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2708.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c77235eed21943e7733677ec592e1726
SHA1 e641423d18c194c1639eb99a7b4b100d0538f8eb
SHA256 f700c1b4c28e15a3f090a22d62118047b87fe2054941cc3106c9d3ec00638736
SHA512 4652346f7f375c776476a9417d8bb1dd1486e83bf8a405e2338011e00dd88ccdd26d730a3e10199e6f68942e04b6589298bc74c2b2cc1c3f1fbbe3249822b0d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57084e4279c06cd2ea91cb6fd36c30fc
SHA1 f8be0f19dd57ce39f3f9ac84cdc3a4ba2b0a330e
SHA256 c469a05d07787599ebf98b8224f6c0a1873f16d62498cc8b65d3be43a1f7a51a
SHA512 1dcc08510a1502ebb9a8f37f7411f26877478e7ac7fd05644a175f1a9f2153c932d83eef5c60b155a0712ef95c224c7ad6a4fd9bc0880702e0f0d86cd59ebfa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b30c031dbcd6eb7547a639e68e114c0c
SHA1 3b041b940bd851aa9756c511bba1890f54d5f1b4
SHA256 c26a52e933b2fd3b8a929ce23768fae1c1fba764012561f73bd5c9b249ee81d7
SHA512 60e9d4e86ff7bf2014ab6db00111dc525b3b1364122241d26a654fca20c225e385f6c89abf1a85495039f9f76ab3c6411b9fe7d9bad175a1bc6368aab0a9a672

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22cff466885768eb292ca50c74816c41
SHA1 d0d7d7ce99cdcb92baa18e7747cc8bf469a1dc30
SHA256 39ac0e2b428be7420cf77d031e6150243a2f3af5831f6dd2b2e986dd9cffb7a8
SHA512 76c06f771bc47ab2fff32704435f32e62454215474c22662c3968f1dc04de5a8082002db3b3158ea3aabb702b801abaa253eda66258e11a495c7ee9b669f832e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c99a620c6fc8449919aba94020338569
SHA1 55e855fed7a7eee5e9dcd9762c6cc476d3daa7dc
SHA256 ceeece1c4ef242d4ba552d2e8c4ab6c5222fef2a21c6a422eb15c492c2e46084
SHA512 c49c4064d86ccf58e272424d5a3daaa738fb1df6088f71ac2ed8f516d37e79fbea77b708af6dd52b50b15f9879e794e1283c8ac0070a45da5cd357258f835f4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9d1fd13803eb03e1ca612f679c3441e
SHA1 268488360b42a496882841c85165e5af3a81e5b3
SHA256 8212e28d6826c5e9f883d68d6e186ed1ebd0fd1cd12dfc1eeabef5740f388b96
SHA512 2e417d80521513c1b9bbc64b66171f6b8c5cd94a997b5edf7721be7c9c162468ba365d4c55c0cc8379967675f35d64b6c5156da75f34250f2d0c6828efc20229

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c8adef834abe4c0971a8e3c012c49ea
SHA1 e86b2c5b7d10721e260991a88fcb8c8c97ff6063
SHA256 76b98d463b5436d90741addb3bd3233480bef9da74ea43f3c130997103a39a45
SHA512 73fa9953ac079bae7e9954fc015a62c472a0889aa7f09d45e9d040a530e1335a3c1428dc6911889f57ca88464faa25f5118eed71d4ae617bb92da6fa406106a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f1b5f03ce7f4bcf6f46af6796154b99c
SHA1 f7ec01371df50eb60a9220ce7c86f60d96fa39a5
SHA256 b4ee715c226ab44f362d4e1f9fbd5a15c61a603eed0e91a56f85535803ac31af
SHA512 a21f8b50a3f36ff85ef798eca3424023eb82250f495119896044e78fe7ef0b25471d42480e82ad6a58bc056906040b7f77717300f1b817b579fc6fcf7e138498

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d1d8c60834e127b1dce6b64476e0baa
SHA1 c19b9cbf0093fa8ba3f63f63fef83164272f0e68
SHA256 9061d7a631d6aba4d1572e1d533484495adb780e0c9dbd8e6c7fe056b88f1d58
SHA512 b8d257d1618e144469dc0c45893aaeaa5330ee631d7361a1bc777cbc8eeb72dcc432a4fd26880580e65079e46672e1c4d10044ec4327db397d61e8e4aa464dff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 def0f7d8d32729cb2df06e8596df488f
SHA1 f758f6cdce6c7e5ad873756a5fb522b67e5147c3
SHA256 93d3a5320bc48a57bf4d4191d9de9964c4f6107e78254d8569cfb890d97f73f8
SHA512 7c2f1af10d898a60fc0d2c19bac16ed1570963ca48cef480245ea68788caac51c6feb4df0d42c78137ecad7e683f502c0df601a973674850638996be00fb633a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2b77da5ba4c16cb1c13f69fc2664a37
SHA1 9f3fd283947de579731387b3182f24810c0d0d16
SHA256 bf0dd587e6276f52bf62bdf00b328bb24ea8ae6d42c7c3f54dd038d2f353eced
SHA512 da0f4872b47f062b8bd5447ce1a665bc5419803ee72c03dc3ab7de18821e63c53cd39a4400e49a4c10a1dfe25c2893262030100f34c9691724694681246b9ca4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c69f54a460b3851f1ef402e4765980bf
SHA1 1492f9cf9b03b4652093b2ab7fc6d5b96a3fd91b
SHA256 43e3f675fe68263735dc2b2df7a6a5fe6ec6efc171ab0a17f230ac918014e4b2
SHA512 20eb5886c9dff08f7bbe4f526c637cb272ea38a6f6cc66971abfc50c0f0d90241ed326146410a2e81bb9da68bcfb9d82fc04bf553c0fab2a4d0188d39a167edb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\favicon[1].ico

MD5 036aedaccad59201cef45614dae4c901
SHA1 44c80edf16020c31a29efe346cb5ff2dea20df3b
SHA256 00d386f73149b711191f9efea873474a90266bff140870098e82c98d9cd4714c
SHA512 c799788b6098ab5fcddf45569147c1a9c65ab9afaea8a009c71d81ccdcb15e4deee7731ec4a1deb17db235a2860b9d40d4c328a1de22d1d7a492dfe092b0bb67

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

MD5 cead091dc32ef322484fbb183a525b1e
SHA1 a0b73606fa853dcf35058884d27844a730317da0
SHA256 1b1ae0bbeab752953dba8dc644a98f230e92af2a09f9e2992a47b2431ddd74e6
SHA512 9a7eaddf16e60711155cbca96007a0c00f327ea673d3c053cc1f923637468d17e350f4b9ab2d2fd67c871326aec0ad986574782c4a7d33b8bb12b2b7fef9a3d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63fab34189a5e90b0150e685959a8947
SHA1 ba22842b3a27bc6c8f2bad829fabaee9c5fab949
SHA256 b224cd65010c5f31532f27976318c3f77b521f33c67f891a191ba820473cec8e
SHA512 a2c515192c8fc0e3b2434a1f559fdd989abdbbd25547be9b3a15915a4238632f3dec7da1ae45691a1bad803c10bbfd7bd5b637117ac61c04b8133c218a98b97f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f31458c6f26340edd7f195339125816
SHA1 cc083e86b380a75afe49d7c1877ff78380ef6993
SHA256 7d52977de3ad4085b0be8a8d3b10ee57d93847f44054f69616776fde095dd826
SHA512 b82349c2c7f05fe2bcd28c89fe3ed4a16b7cce1fd9bdf874868ff6957c4c8df831879496248f946bfb0e59a9cd5cdfa352b4bb1e8ae60a655abb355d9de69c92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79bb593415ff5bfce894bbce7cfe7c13
SHA1 2cca99b9118a8146f5cdae9d468a40b2e117fab2
SHA256 bac4c6975245ed16b5ac913b0382331b999ebe03c801b8cd24143184ed2c1037
SHA512 4b342b33526af5caa9ede149154c290611d7ac0875fc8be03743364fb667b09e7f6f07d303a23241ca317119618810daba58638c49a5bc5d7284b5c7e40b4e4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d52738101610e433c6e795abf7aec42d
SHA1 913e87b5f9c74f6890bd73b5b77516351c20ec81
SHA256 a64997adae49f32d20052c35dfc293e8d485c254f55870650a7af3d0d54ea817
SHA512 7df1a87b699f847e32463d81df3798498ff15b37b997ba7b51fdf2fa174df9981216213512ac3f74160df4491e84a96812777328de865a0d6f5445dae6b339f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 353b168cb2b6c1024ae7aadcbc2464e4
SHA1 cc7a0bc8c62ab4fb967ea8d8bcc196196e181e1b
SHA256 f011ce51581fa062fc52a3105701098c04a48bfe8d2a22b74b6ab97e904e6d9e
SHA512 9e57fefe16065df7c05bd289ff3f4d44221948a44dda5bb67c3a52d516e4a5b23baf3f94a62b6cc6b9464447d132c0970a5987569e981a6b572d2402e06f0141

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0bdfa8e548585cc553baa1b0100852b
SHA1 65e0311144e0c078c75304f7ea85b1bc74533be7
SHA256 68a9dac85794061f56d84d7b0e58f38d497f9a459a77198dad6ff1c8bad22887
SHA512 a0bee1c2f7e9c785f4a56516ef04afada41e44bec74e39ab3d606e71bfc179f27de69d955cd4e9e4579098b3ac876e9ed5cf805e2b275708fbd52bfb5047ebeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a29187747bc762f34192d18d393ec49
SHA1 3a06168d483466b6b1e1dd48c484230a97b7257c
SHA256 fa27b219a748b11ac02f3e9e23275036942b6162b3a222742621c67170978edd
SHA512 1f79bf98651dc28b853302380080facd97200b9eab4b2442993af4e7980856bc3eacfc3758f468443aec51264e0c3a33bbd9192938c77862795b9055b4134560

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b66261336a18c9c14c1ffe0c288a868e
SHA1 bd0891f7ce0e07d39d9b83b8e3054d8e7064df6d
SHA256 b6276bfccbfb3840a3ece2640f01674037b3b07be4a203d6bfa3a46eb919b244
SHA512 a9497b87978097d40814a3d70c640b82819ac4e431cb4c3491925f8b4ae1264f83988a086966d9991752210238acb6313e22360a0ad4afb7faab55c2154ded5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e516c80c76be19a189e3726b3b6844a6
SHA1 65c5f27d2c03a3061a7922c70634ac86afd7be72
SHA256 b2be4d1b718e0feeef7d8e8c3736fa75e210be2fb39751494375df85ef13f862
SHA512 38e0f64061b63e77dd4af802f6c7cf270f4b6b4331e120f2cd93fe1425fea3daee355aebb6d50e282842805b054f08402d76ff67d251b062140e5f6572fa6a0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fec2e4c4ab5d5875829f8df358be5ab6
SHA1 d774a1d323973a27052822318d8625da6b6bf5fb
SHA256 641b70a7da28d1d6fe36adee53ca69cae3f6114756732b0dbb9bacec0adc5d23
SHA512 a98d53aeb7e34b3373290cc7982095d8b71b1a44eb011afd1cbfd9b87e60f6a2bd8309a2fa3338529f789a1ce0c44b1877840b86612c8ee878375e40df4725fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 10:29

Reported

2024-06-26 10:31

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\_____.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 3644 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4972 wrote to memory of 3644 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3980 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\_____.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.aichunjing.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb08546f8,0x7ffbb0854708,0x7ffbb0854718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13611513835986304621,3060084537188260954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6060 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.aichunjing.com udp
HK 43.155.96.87:80 www.aichunjing.com tcp
HK 43.155.96.87:80 www.aichunjing.com tcp
HK 43.155.96.87:80 www.aichunjing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 87.96.155.43.in-addr.arpa udp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 hm.baidu.com udp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 52.182.143.211:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
PL 93.184.221.240:80 tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 228.98.240.183.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4819fbc4513c82d92618f50a379ee232
SHA1 ab618827ff269655283bf771fc957c8798ab51ee
SHA256 05e479e8ec96b7505e01e5ec757ccfe35cb73cd46b27ff4746dce90d43d9237c
SHA512 bc24fb972d04b55505101300e268f91b11e5833f1a18e925b5ded7e758b5e3e08bee1aa8f3a0b65514d6df981d0cbfa8798344db7f2a3675307df8de12ae475b

\??\pipe\LOCAL\crashpad_3644_MNKBFFKPARFVNSVS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 257c0005d0c4d0bb282cb470925e4376
SHA1 f9b8efb511ed64292568977c9f2ec255509e8f7d
SHA256 8185c36aaacfc71e42f94fad8e198fe7fb2d868398ceabb89261cae94341cb22
SHA512 2f3e8f352ed3ef88e8c28650390f93f98c92174d268330b886f3ebd1ba0163999051298ee12a054606b4986005452a241c6864cd292e69492d79c37d500556f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1d9f59243d2b1ea72246eb045d1e6db2
SHA1 9ff21abf1484957aea13ded4fbc72b5ee6b8db19
SHA256 92f3570c43e4b06e00feedc9f3911c213aadd765e592f057e99ca716359d343c
SHA512 ae39a341fbbf04f04a384dd699248abdc60430bdcb4068ba282f3d8b36855eac7488058245b6fc5f7c3f193a14e1d9a1cbed016491d4ac3a78595b4811c439ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9476606e5a793b42d634f2a87ef8e21b
SHA1 20e29ecc16b5568ab7c2c313f90f52cec94c5900
SHA256 6be93d190f32bead1d83e5aee2d765116946dd9de30320665405285a6ba2e3a4
SHA512 c4e3177714ac53cb58c1239ad45fca4c9fb0ca15c3e8667a96a01024f7fc225a77c1898cb27df5a8c325e576dff650150f0384175373aecf2d22b36d0bfc97ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0dfe4936a650810cea3e11be124eb0e7
SHA1 028160a75e22cf683734fb45282172337dbe9b72
SHA256 04fc47fa467a241816c2db62da736aca07cb2c6af36c5aedcdd2d474aa33a38e
SHA512 b4258a96eb99a27af46736513ca59051e9dd5485be5739599fa3c597877d2629bd7c78f3d35237680079c5821f3d5656e2b46c61cec4278c36b2bce3006c201e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 95cd1581c30a5c26f698a8210bcab430
SHA1 5e8e551a47dd682ec51a7d6808fe8e0f2af39e86
SHA256 d58162c5ae5e18fc06604c285e024c01686093d70994dc93b4ae9d85b4c3f7b9
SHA512 e49403df10177053634c431203a91d26df5dfb23cbbb88847459ecdf4b6107040d0944a3e84ee6bb26cb4e8017a35c8c31b658387cd1b6938ba4cb9f59606ece

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ebcd5192b77f9a4264a0417546b2d430
SHA1 50bfd7fa4a01dacdd1a6eff7b2f6e19688cba8bd
SHA256 6bd6f4ca4c5fcbf974535daf792f3c8ed178b7041ccd52861524dbfc5e67d135
SHA512 be2f16166be40a3cc7c6f52e81195769716cfce7783aedacb13b83acf46caa31b7bd20a016534eb831db4b8af0b6dbb23728b5d123fc13967677a38356ca5280

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 065ecc3290de4c90fa47a967822f191b
SHA1 ab3fe3f38210cfc57a7c0dac8fc87861071c01a5
SHA256 d2ebd2446965dc2adf350938c40b3357d955ec59ae960d21f7b018a194a965df
SHA512 e82c31ba596c9fe43549f126747b0a8e12be370f6a3a737bc4d30d6e66cb4bc7ce21d782bbd70d0ab84e60089373afa78fce10584ef06315a1ca19e8eb2e2045

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590e2f.TMP

MD5 178fc555b2cb900c39b0cdd5cc01fe43
SHA1 8fe8f4fccd92ce6b592e70adda75717e43a251e0
SHA256 8b6b250d1482ed7240d2989b166a8f197e229635ab4a1b2cb35b47c26d361b22
SHA512 deddf31b455fccf28855108b1ca9722cc4abc96ab765a04a7963fb4472a9f5e47288a098777ebd54c3e7adf73da428215629a0de345a82ee1f6bb2257e82c2ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 92756b524f563a9609255646d88994f8
SHA1 b35736fac23508c4dbdf3b83d3e14662ec50663b
SHA256 f8327a358d14b0e5dd136bab2f8a188197be3594d2dffd623f9a0443fc0f5b0d
SHA512 98f9bf1dd87c4f6564e8335fd8cfa3f665a3ef1ba7b835288ae934d987ddaeef27a6f7d8bce13cd6374a2139f1da10530233f45d5cce128c00f4cdee82e6817b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ea2364d3be3430c351a63e760dbd6a6a
SHA1 7dadb5c22a408c486bf617251606d0ccc46c10ff
SHA256 36b2526769084ca68d3d089c4c2712c48c02338ad90b0eafa5fe55ab7a94d0df
SHA512 99681a1b53e8d72cd7e1d9ae65e389eda80094ec223b54d0f7127d75168d2cf7eae20c2b370ed1ab6a95e66117be34c0f938a7e7991bd5a36cfb998567e6bba9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-26 10:29

Reported

2024-06-26 10:31

Platform

win7-20240611-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
N/A N/A C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\_temp_heu168yyds\pic\Renewal-Close1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\17-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\8-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK2.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\logo.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK2.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\smart-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB3.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\7Z.EXE C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\18-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\22-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\5-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\6-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\17-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\15-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\3-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\8-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\9-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK3.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK6.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Over.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\21-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\24-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\6-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\7-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\7-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x64\kms_x64.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x86\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Down.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Down.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Renewal-Close2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\14-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\15-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\3-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\5-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\update.ico C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\3-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Setting.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\xml\HEU_KMS_Renewal.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\7Z.EXE C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\1-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\1-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\21-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x86 C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB4.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\14-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\About.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK5.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\ewm_wx.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\skin.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Renewal-Close1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\smart-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\TAB4.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0 C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\12-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\18-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\2-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\5-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x64\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\winmgmts:\root\CIMV2 C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: 35 N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe"

C:\Windows\_temp_heu168yyds\7Z.EXE

"C:\Windows\_temp_heu168yyds\7Z.EXE" x "C:\Windows\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Windows\_temp_heu168yyds"

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

Network

N/A

Files

memory/2064-0-0x0000000000E30000-0x0000000001786000-memory.dmp

C:\Windows\_temp_heu168yyds\KMSmini.7z

MD5 7c95298d1611c9e4bb4be126003cdc20
SHA1 a59c8d542ff8210797247b0d8f0746ed1add66e1
SHA256 f4f6f45d26e2b15267c59452b10b7b1d890a3b65e647adeb4c7296d90c34b7df
SHA512 5104664b3036d5ee4209112db2f2da833e177a83691ad438fc20c467e80cfcedc784de6aae27401f40fa9bd9a3a6c6935702c0e42e3dc7f6afe64853021bf8be

\Windows\_temp_heu168yyds\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Windows\_temp_heu168yyds\files.7z

MD5 c7926c9b1dfe047575916f8016f36555
SHA1 88f149b25d40e4d124c45bef48a82d69fc5e7e34
SHA256 c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888
SHA512 68e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2

\Windows\_temp_heu168yyds\x64\kms_x64.exe

MD5 4a7d374c8ad8419fa832fd29486024d0
SHA1 e8793db9705d7beac3dc3c0394ed58ffd0022708
SHA256 69ce16ddba934782fa656a69c28daef291f55d11ff19d78b83bd6736e6d6a8d1
SHA512 55464c7f7c5918dee4f882e0f4c40758070c7d474be2cc763d6675cfc497464d11005e6c49f87eb1dc7603c831aec84d034dd0ccb1557b8221910191eb58b7aa

memory/1476-210-0x000000013F6E0000-0x000000013F9FB000-memory.dmp

memory/2064-209-0x0000000005480000-0x000000000579B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

MD5 07519d22697940ba191d3eeb68436ab3
SHA1 a2e79391705a6fd849dbdc79d457ec2d2ebf392c
SHA256 e8d819f57a235e7a4e03ba7fa2e0d8e0a2b00d5c2456f7dba26f107caa3c8bea
SHA512 25e830a135d1cf3a26b3a4d4a3b90db9ca39d5f4ac7efac8fba02cb91663b6a656c76ea34821567f80e3be3bb3f1f960b2bfcba5386baf963d41644a1897886d

memory/2064-213-0x0000000000E30000-0x0000000001786000-memory.dmp

memory/1476-215-0x000000013F6E0000-0x000000013F9FB000-memory.dmp

memory/2064-217-0x0000000000E30000-0x0000000001786000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-26 10:29

Reported

2024-06-26 10:31

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
N/A N/A C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\_temp_heu168yyds\xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\24-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\9-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\smart-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB1.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0 C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\17-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK4.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK6.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\1-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\23-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\ewm_wx.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\TAB4.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x86\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\15-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\5-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\BACK3.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\update.ico C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\ver.ico C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\xml C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File created C:\Windows\_temp_heu168yyds\pic\18-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\4-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\About.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\smart-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB2.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\x64\cleanospp.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\20-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK5.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\message.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\Min.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\14-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\2-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\21-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK1.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\pic0\left.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Renewal-Close1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\x86\kms.exe C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\14-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\17-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK2.jpg C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\head.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Setting.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB5.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\7Z.EXE C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File created C:\Windows\_temp_heu168yyds\pic\12-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\22-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\23-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\24-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\5-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\7-2.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\Office2010OSPP\OSPP.VBS C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe N/A
File created C:\Windows\_temp_heu168yyds\pic\message.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\17-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\pic\19-1.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\2-3.bmp C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File created C:\Windows\_temp_heu168yyds\pic\Down.png C:\Windows\_temp_heu168yyds\7Z.EXE N/A
File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP C:\Windows\_temp_heu168yyds\7Z.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\winmgmts:\root\CIMV2 C:\Windows\_temp_heu168yyds\x64\kms_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: 35 N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\_temp_heu168yyds\7Z.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe"

C:\Windows\_temp_heu168yyds\7Z.EXE

"C:\Windows\_temp_heu168yyds\7Z.EXE" x "C:\Windows\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Windows\_temp_heu168yyds"

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

Network

Files

memory/4188-0-0x0000000000B20000-0x0000000001476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\autA549.tmp

MD5 7c95298d1611c9e4bb4be126003cdc20
SHA1 a59c8d542ff8210797247b0d8f0746ed1add66e1
SHA256 f4f6f45d26e2b15267c59452b10b7b1d890a3b65e647adeb4c7296d90c34b7df
SHA512 5104664b3036d5ee4209112db2f2da833e177a83691ad438fc20c467e80cfcedc784de6aae27401f40fa9bd9a3a6c6935702c0e42e3dc7f6afe64853021bf8be

C:\Windows\_temp_heu168yyds\files.7z

MD5 c7926c9b1dfe047575916f8016f36555
SHA1 88f149b25d40e4d124c45bef48a82d69fc5e7e34
SHA256 c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888
SHA512 68e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2

C:\Windows\_temp_heu168yyds\7Z.EXE

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Windows\_temp_heu168yyds\x64\kms_x64.exe

MD5 4a7d374c8ad8419fa832fd29486024d0
SHA1 e8793db9705d7beac3dc3c0394ed58ffd0022708
SHA256 69ce16ddba934782fa656a69c28daef291f55d11ff19d78b83bd6736e6d6a8d1
SHA512 55464c7f7c5918dee4f882e0f4c40758070c7d474be2cc763d6675cfc497464d11005e6c49f87eb1dc7603c831aec84d034dd0ccb1557b8221910191eb58b7aa

memory/412-208-0x00007FF6F3200000-0x00007FF6F351B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScriptTemp.ini

MD5 07519d22697940ba191d3eeb68436ab3
SHA1 a2e79391705a6fd849dbdc79d457ec2d2ebf392c
SHA256 e8d819f57a235e7a4e03ba7fa2e0d8e0a2b00d5c2456f7dba26f107caa3c8bea
SHA512 25e830a135d1cf3a26b3a4d4a3b90db9ca39d5f4ac7efac8fba02cb91663b6a656c76ea34821567f80e3be3bb3f1f960b2bfcba5386baf963d41644a1897886d

memory/4188-211-0x0000000000B20000-0x0000000001476000-memory.dmp

memory/412-212-0x00007FF6F3200000-0x00007FF6F351B000-memory.dmp

memory/4188-213-0x0000000000B20000-0x0000000001476000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-26 10:29

Reported

2024-06-26 10:31

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\J__ - __________.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\J__ - __________.url"

Network

N/A

Files

memory/1828-0-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-26 10:29

Reported

2024-06-26 10:31

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\J__ - __________.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\J__ - __________.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A