Malware Analysis Report

2025-03-15 05:25

Sample ID 240629-e8xkpatgrn
Target rjw-master.zip
SHA256 0246b9c8a23ce5297d3d06054d5ffe7c31ad5ae1695ab79a0233e944d232971d
Tags
macro
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0246b9c8a23ce5297d3d06054d5ffe7c31ad5ae1695ab79a0233e944d232971d

Threat Level: Likely malicious

The file rjw-master.zip was found to be: Likely malicious.

Malicious Activity Summary

macro

Suspicious Office macro

Unsigned PE

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 04:37

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Rapist.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Rapist.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3432-1-0x00007FF839EED000-0x00007FF839EEE000-memory.dmp

memory/3432-0-0x00007FF7F9ED0000-0x00007FF7F9EE0000-memory.dmp

memory/3432-2-0x00007FF839E50000-0x00007FF83A045000-memory.dmp

memory/3432-3-0x00007FF839E50000-0x00007FF83A045000-memory.dmp

memory/3432-4-0x00007FF839E50000-0x00007FF83A045000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Zoophile.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0528c3ddec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68F5D101-35D1-11EF-A649-4E87F544447C} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000017ea610f6d7cf21d283b0ebf57ffec86411a88487fe3a59cef56c9431e64d3b1000000000e8000000002000020000000f583eb65e341e33270446cdf2f150df29e3f8e3455a24515dc2b7029fef9a11690000000495cc3414d8bd5c906a74844e45dbd55276246a3264017f91fd6f36e418dfc0c4d5af5bcbd5b67b004202d9f092740a73a9de631e1d419482704a5ff7cebb0fd707c0c43078fa95ea9a37ac34f668ba7ef768d2079157f823764b615fab6ddc6fe397802d7ce0368ad6dd3eda388f597af67a599310c51d16b4b4a50e632a40f85d39cf2fe1993c87aa148717920e52d40000000ba3ae5ccbba7465b412fa0778ab2432d301a82f8de6068cad3aa3df31c0ef6de09c59525fae567fdcf3d1700ae691ba3893731788be96b2fb6d272232d7a0281 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000009660a04cd30c17de2ea3032666fc41fa1a4da4ef0c7434c338de52d736d83476000000000e800000000200002000000060ee1064481907b5494ac99a37ac4068484ac25005a3dd5175c57e8379ee3401200000002cae48bf76b511a20353b1404967836502e9e71043596916e8bbc93d1e65c9c140000000840388f660f7f2bb78ef4774d48ff4506e3aff881b4b5bfee0d5d329616b498a6ba7acc6eff71bd3e0ac8aea89de40035c289761dcc01ebbbc9bbf5206162468 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797767" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2436 wrote to memory of 2820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2436 wrote to memory of 2820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2436 wrote to memory of 2820 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2820 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2820 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2820 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1824 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1824 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1824 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1824 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Zoophile.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab48A7.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar493A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1836456df3d67f859b4e217af0fdd88e
SHA1 43d131e5422349d3f24e09b78843dca80e7ef697
SHA256 4ecb88c78e53b12fb9899951c66e8c20da614dd1c762b143af73ece4c2e56a2b
SHA512 6ebbf4669cc02c2183598f8ee01c416019ac8ac92cf8beccfab2dc3f89f2d0b844e41f94ec931a866e0a788051663bcaadcc80f586a130bb3941892c8a11930f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff4c30c5deb98649f2bf7b48f44d373c
SHA1 dfd05f071c23764fdc3989d8f9192cd78e0241ea
SHA256 113315b3d7182c709b4fb793713b0dba64455647f50824a0e773456ef5c205ba
SHA512 c86aa9495f695e33954fa07019ffe8812dba556019def182007203cbc3c8500f3154da8a36b77fda992cfd69e634753b407cfde7f517f8f6af107f1b8ed4df1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2dadf5cd5fd647495b4f28acb021325
SHA1 d4a666088a2d27f3878734fdca2b2155f64bd677
SHA256 55f53f89682d1f4ea0e5ecd96592dd6298544c2d7e507b79551662768967714f
SHA512 6f0179809067184d8a5e9b8bb18feccfc61bd3c8bbcb51c6e3865ce633506361e22af9dfe7859391dc746d2b91a932fe6423e9c251c98058475b14f3836a70ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a43233817ebf39560a038bb4e40ad3e9
SHA1 9465bc2928ca31b80294a27e7c132eee3f8ec888
SHA256 feae24f69d041f6583956965f771e02e160d30c4592da530514ca120920d3c07
SHA512 aa79ecbee37df423ac76fe79c4342b5d8c13e451cdcdd1e77776dcf8b622ce006f75a0bc820fce8de7b17570d7292cba900c004f6c8a6cd5f72aa744952ab99a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cd7871a26034c67540055ec6907adc8
SHA1 6ced2d5423e2c48052a1c60eb8a02c17f9a81323
SHA256 dad825194a0e5b4b118ba0fb493c6506708a7f4292031e96fa91b4c72f3a2c2f
SHA512 b9e5082e4f57917cf1dcb5903ccd298a535de4125104e036f17da0cf27009301c5cc78fc61b94ae9b66808eab38f8786f44ef5b09c4553e5f3f41b7d575345b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c73005679c65d41b9f9ec1230d6397b
SHA1 c5a60074d2fd6726439cf15150ecc56a6bdc4991
SHA256 52201e477385573febd2fffb9a7e068fbb93a283f0f4749140a606556e1a558a
SHA512 a9fda98115bd742046930b2113db93092c926d2775f08b1fd3b9fe9661ef80cea20c820ece569684a878308e42b42a5a3fd536362e9ddcb395e98d80340e5ef5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 997bc093e380a23df9f18e7d2623155e
SHA1 7df873ab47bf7d0d948753fd256a3695a40156f2
SHA256 1e75905f38e2709437cd8b30488b1afc078c928b91f3596ab9d72e00aa9a9893
SHA512 09d1b58fc72410b5e45e57384ec0a7c3e0e70a36955bcf226d0359236db6639f38110cdf89a9119d4251a7b20beb7a8e36198f447867ae7e4c0206ad6667379b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f01b52c19618e9e294de6a0b2b8da7df
SHA1 ce148de6a6569b65369ca053b9a234eb9e2eb6e6
SHA256 475ef35d286b93ed938e17bc886c802056007dc7193ec3a65875a4f658282521
SHA512 1ee96535f27e9b16cc7d8065cbdc14e44e29d9882ed0da30538ba8bcecd5c314571555c1cec75d04e403ea07f01848fb4e678786289a4206b76e736b295de02e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b33dea9990831bf5e140169354ec5b6
SHA1 b54baee498ce4e81d03bd0bf6fd5d213f286d39d
SHA256 f5846e041dc1dd8607ae0c394f4bba10f16ecb4db5d2821d297e819c807163c7
SHA512 6e0522f52693442104a6cc740fb2aca24f5d4e9cdea07a33d446f40c237cfbc376dff079cac354d33eac1476dd76c933017fa64696565aa94964c624aa444035

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c21853305c359650dce60ff23abb1a0
SHA1 11f907343189c3e4fd1836eeb471159b7470d440
SHA256 9d19424d2c104b6dbab878616505a53ee739feb2c9607e29998fff8a4764abd2
SHA512 91b06065ec9259213c00911e41ed75967d530d0ab49fb31f11cd65bbe233ab7dc647e751f8742e9f14d16bae69424573ce27173fa55dfa4d69e8d95722dd1993

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15ef9223e7cef9f18eb909e1dc8f6b64
SHA1 1721a3fc8265829bd4aa45beb94a2e3ac342a3cf
SHA256 76f12025b5d72ce98b3c9bccea4973e9ff16a666a156eb33466b71bc047fb93a
SHA512 ba140567087d17a8b9907cbdda57ff16c26633bb26c61a120cae024369c38e6845eed210357f466da7e707b1830a9167c58fd68be8e6702183a32c5ab83936fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7edbdaacd897003cf3fc3c857ab349a1
SHA1 4a0a9771f038453712c1ff630bb88ae859c8f12e
SHA256 cf8a71c1b83a0526691a1e999e6071dc56d8ca97d76ebf95d936a4b4c712ec2f
SHA512 0806da314bc117c067d42aff7e1b1f0d2b85e354a648fe2bbada2e8a701e320e92d4e87165f8d2a58498ce3e17e837a5b661a3407e1f9920c9dd2431499f2105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49f4ed2401ee400a396dc15535f4fc0e
SHA1 426b19aeef4a3ee8f528b77285a96f7505a0a248
SHA256 c6d34e9805df08828acb94e0746a2115cb6cf5c9d00f1b58f595679418dfd788
SHA512 7a561f0be75116b5c4347ba7f22ef675e5e0b8eb7f581468c4a776fd5f9c92258150567b70391103351152205f600e557f366b866f197b238b85104fe292f10d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1c23b40bec6fc5592621bad6a2555d5
SHA1 b8d4b77d074683457d5b85e0c863a1e535f239cd
SHA256 de207f7fa430cbdc1b4cceab0b9b28e27971642106625e822cdab5903a963220
SHA512 342e1131a46d8cfaf2e9b42eaa4ef89d7e032dd8daf518c0eb3d059b193c4cfe9361f352cd3cfe5b7e9342fd907038719b41b2960abf595772946efffc7842f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b44b94d7451ab2b74931d1e5dbd082f1
SHA1 f571cddb95cf5fa073a61acd48d61e3be58ad880
SHA256 3fe0073feef12ad50cfe441d4d4ee879b321897e8ecabd97473e146b636aecfe
SHA512 5db3ec6538738aead20f258be982cd8a03252dd4cd4b0e1ae05be1714b568cd7d60b733df0a0b915f7652a1e320c03ca287a4297ca1acf0cc6f92dbc4f41f2b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d21549cc27a978a0549bf2f781f32738
SHA1 cac0f9d1f04147ed663034026be6965597a2cc90
SHA256 4fc2689daf4b48f444d2bd4f9f5df773f00a946293805d1e9196ddf388d51554
SHA512 954dad97a70e9e57edad852784fcb0ae5b6fb5a2efda6ba015bcb700bc8aa0c2570d52746f1e49e41a60159c97912fb3ac3df076ebae7ee920801a6f39809ed2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3ac0e16576c2459961b2075d569321e
SHA1 a0657a62f0638874014d4fa910b04a00ca2d25d8
SHA256 c510d8c8ba6cd01ceb0ed9da59bc7ac83966f33244dcb1bc7cdefaae8c275154
SHA512 680f7a7dbf7d91d4961033f87b28d9247e59b3086958499eddd521166a1267b282007ca3e46351187895cc6f185c571eb785551f3285e241246001b58993313d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 929665ac1fde352b5f9e0ffd75113fde
SHA1 704473b1de16e09609dcbd8b33f8408868ae0d72
SHA256 661adab1bcda5053c4538f504e4958bb044d2fd954b461b2aa5de380e2282b7a
SHA512 99a49472a5976ea0d1950972a9672aee122bcf7e2b55fcc36ab1f8a274f0243da02718aef78347aa826e226b512219a630662b44b33ab21a30f47f8303b37109

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6425eb2907b81314f5dc6d5ee79bc264
SHA1 5d9eb618c42bac5e8eda050bbf3951f4d6b29ec2
SHA256 905ee909dceb7329dd2c7e155a49a233ccf9c20b0fb70f034d104bf0d4300903
SHA512 92329bf958592fe488d215a3d77139d7c465ae353b8e1f39c5d45f775cdfce4cca8df4032600b11b0129021fd1fa9b1dc6d115c9416ffc875aad0b06c425fb6d

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Zoophile.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Zoophile.xml"

Network

Files

memory/3496-0-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3496-1-0x00007FFCB99AD000-0x00007FFCB99AE000-memory.dmp

memory/3496-2-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3496-3-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Family.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Family.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/4480-0-0x00007FFE89D10000-0x00007FFE89D20000-memory.dmp

memory/4480-1-0x00007FFEC9D2D000-0x00007FFEC9D2E000-memory.dmp

memory/4480-2-0x00007FFEC9C90000-0x00007FFEC9E85000-memory.dmp

memory/4480-3-0x00007FFEC9C90000-0x00007FFEC9E85000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

123s

Max time network

150s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rjw-master.zip

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 2796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 2796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1784 wrote to memory of 652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rjw-master.zip

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76a9758,0x7fef76a9768,0x7fef76a9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1356 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1180 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3760 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3716 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2920 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2444 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x54c

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4040 --field-trial-handle=1280,i,5714614384728492970,81484305308968358,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 216.58.213.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.201.118:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
IE 209.85.203.84:443 accounts.google.com udp
US 8.8.8.8:53 rr4---sn-q4fl6nsd.googlevideo.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
GB 142.250.200.10:443 content-autofill.googleapis.com tcp
GB 142.250.187.196:443 www.google.com udp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 74.125.3.169:443 rr4---sn-q4fl6nsd.googlevideo.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.200.42:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 consent.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com udp

Files

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

\??\pipe\crashpad_1784_IEMWXRDFIVYUJNXH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1bb920dc124c0aa91b3bc44cb53f0143
SHA1 ca874a08fc98c3a01976f2013acd3d5736daf90e
SHA256 9e5dd35f51ac2574dae74385b0202ea9d270e11617c8dbc1bd21f0aba833019c
SHA512 e4895efb870f141127ecb8694478d318bfdcbecf0d9bed612af2de937588670e3a96173d5e92cfd5e5f38ed01d9e227b030839536d50fde34008b14c2c594166

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf785255.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 491930239ffbb607bb945c91070ab405
SHA1 4ba0787d9058fa54685115bfb7ac1d0da8be6f1f
SHA256 9b14092150c87578f5ad1f3a842860a7b5f535d68f50fcf9c50f9ef0ca2b14f9
SHA512 a926a300e24534cc97e50029eae4324d64517d5d4e9a868cf3e95dab621a09cc08009260bb1f83d56204a4f01d3bb6195fdbf69e672e04abedc76da9f3dc8b50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240611-en

Max time kernel

117s

Max time network

135s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Resource_AnimalProduct_Eggs.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f6973edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000008a1e15ebf42ac6827e4c71625792ffa23294aa3303a07cd5a31ff826bd7e0a4c000000000e800000000200002000000039749aaba0e7e1e489c05cb17c4f9bbd16323a5227b563ada05db6c3efa7a68890000000796a40dd76afd5590607d081805e1fbbbeedc6fe31b105ecf43139684589c1f9bc2c54b7eee359f0955ef893f02df73c343f67123a8cd880317af191f961868d55cd51daade103e7985dad508b15e76534ce38067c425af787a50e347e863976ba229d614b58a0d3e4182015f87f591787c87d20e1e8c79c65e93165ef0e09b9e1108b607bb4471d1fc213c744199f854000000091babe0d725aed418b5f046e87e4a90454c79e88a6aea025187cad366f1fe4bd1ca47b7b2ef399e4db3b4890b329db7388ca0efbe0061c924cdfa1b3507427a4 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A063F31-35D1-11EF-A85D-46C1B5BE3FA8} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb810000000002000000000010660000000100002000000043101d22b788a364aa03808897c10bc0c727a36a34f772306ba61461640bf2fb000000000e800000000200002000000069104c8d9403fbd946042062215e3d9d934b4903decf49e102fbd8cb236deb162000000075f227d5851462a1f8ef216435bf2eda43007d7ac547fed9377f92e4abdb507240000000810fc8edd2384d716acac2def50cef83abdc997e14b16d75fc0f72c1960de9fb90d753bac74250f97f7cd960c86a4358eb88126dbf7b81b72888a88ba04151ee C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797769" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2460 wrote to memory of 1976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2460 wrote to memory of 1976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2460 wrote to memory of 1976 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1976 wrote to memory of 1996 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1996 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1996 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1976 wrote to memory of 1996 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Resource_AnimalProduct_Eggs.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4849.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar4988.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b1f6a0eb52abe019f0901dca66df36e
SHA1 164eb795bc243d63e183f2e6105e8c7347144d36
SHA256 f068e1a105c212b1fad1061442a121165147137d3cf1024f80b671a951b3073f
SHA512 6df8ca3c442c861ac8e19f133e2c393473457503f3b577e436a4ee27b563cd75d170ab1071228001769cc831fee8e39b7857344593fc0c779046a9a84cc9b137

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74490ddda74d3f8b0392a40047ff220a
SHA1 65a9b3df7fc2a1515e564ae6c1ee03cede11f62e
SHA256 5db65779bb827e3b94137290f896c5cd6f07de15c995fbdb0105e4afa99999ba
SHA512 a2a645ffa77e182e3e8b64b88b8f2117c102d707d2d0720da99c42cf3edad6565854e3ae1e15bbc99ac99d4d2e72849d32ca9de42eb9773bf929c2e3d506d09b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e8dbecc1312ba9e348ba5adf25c5ba1
SHA1 d8b5bff4b1624a0261fe9dd3e95542ce23755e06
SHA256 0ac0e1f7a33eedc443a9854a097bb00304b16693ff682fbd460946d872ff4f4c
SHA512 27c3e8cd692a5bfdd1728cd814956b59c30e22eb8203f76d2867aeceba8910019ad7c34e58babab879dc06bf2c4fcf61ea0d5cbd7e9014b7b709a5f98fbf9b37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12f0ece2c328f4f71c6865ce761795dd
SHA1 15dae19e9fc7da233222b6e62f9465aae7255254
SHA256 3c90031963b337a793138b541132f9ae44e60047352bc39112a9882afa0f3692
SHA512 a8c6508e32795b893bc7c26f393db7ecf56415b62140593a20f8430ba34822b20fd021d00403d0b4d62e77c0f4319c7689b1c70985adc8eb9e1eb83680aec3d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 148b7094d3cb216d5f44936301618d00
SHA1 9c5b6c0ee46eea56c5956884ceddeb0234177fc2
SHA256 795e0f22f7551b5eca1ec60c1d6bd204dad1da8231a8188de4d91cd6e9bdf703
SHA512 341b63103ff2faf56a2cd8e4c7042de81c1849999ff4d3881b4c8c8d5c8ae194cb77d557af13779be4dfd1c0cc9aeb07c4c7af2dae8b53ccbb507755f4dd9708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5589d6f933fbfbe59ffef47efe460b3
SHA1 7101c5ea2aa3a8c84b5abb2d53209aa9e9a4de33
SHA256 f7244b487fc78390b0b5d6f49b8c10b4f14a72c8a7f132ba70833315b82b2c0b
SHA512 08f2888d10cf1dbc5beeb459b5ee9af5f8abf76877cdfa7612292039b33b9143d5de88d31f86160649ae2ea4f52753d7cafb379eb0c55b846c84a700eac0b052

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab54b3d68421b2880ccc214ec565167f
SHA1 679a107f0a5962d87ef5858bd9c269adfe934e6b
SHA256 d66ac3a7aa33e476d8ec417d9299f9327c3c6b8c89eb61f37abf7196e30baa99
SHA512 d5ba8db44c626cec83a4707cb939eb4d878eeea4886f42eef60902b02edc31c9fdc09295afd4ea367b51aa8f78f4b0a5baed730979c45e3c595ba4fd5aaf2f3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad76182eb5b6635d48cb0cbea9f9bf93
SHA1 ffdc0476d4eeec24016fcca4eecb1ced7aa35045
SHA256 fdccbefcf094887efe9b8f36bdb348c6cc5a8612e47b771bf595cc3bf7be240e
SHA512 a84c96311ef77f15780c09e128d8789a6484c1e2b227ce70a2c93332adc46fc602a8a45ec5cec03b8e70fb5e31757d02dbd1c2298e076b2cdf0d37904dcf4a8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcbb0c09ff56880450a3af6797ff9b29
SHA1 606a1611c584cabaec40e24cb59942a87b96fdf9
SHA256 af7443681790f538a0131620bd85a684902cd600bc0fca4f8ea3532213d674f5
SHA512 30aae1fa330fc49aaf4c10baa8d4a7ba88fd3e93afd0c43f2628b210459efea7ae387631f65e3e6cdbc353e54875b0cb5406391d81bba0ae87793b20033dc8aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10384ed48d93163b55135dee59bd3377
SHA1 f88d7aa5b491342b0d18b01b0ddfcde1ab9809ba
SHA256 c0b5ba811ee0bb8d304b6ebf70218b1293d50f17b2fd353de048270c6b31aded
SHA512 91e5cfab11a68079e73fd0d5df5f5bba78a579b28771d74539416bf6e67ab9af9ee33953edfa0f6e63d87499c7ac496982e926804df94cc4cd37f1afa9db84da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2671a9bbd1d6d92bc2d78d319e447b4
SHA1 baf3089304c1fdf078c1e128b41753c53912433a
SHA256 8a66b6fed3cf3633d94b9ceb5710cded0fd809dc6dd4cfaad64518ebfa7e632f
SHA512 e5dec9c860e8631b0e4e97fbad23acd3b682addaba59fc8c8441ee41f11c94ede0d1f674514cf116e535cf177568545d4f5e21a2e56d09d5b856117eb17390c8

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240611-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Animal.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000370d888de28a8a426842008460352d2e16d1f889c0f0a2ae9c12f6c5d256c8d2000000000e80000000020000200000007614f8bdb7f3bd38afefad19adda3b955e488231aadaaa05d41338c20bfd2274200000001e057ff65f7e4adf0f9e6a90ceb382efe6a99a10a22314207a18cbc6971b9a3540000000a203ba4f7191068eae296c0e054e89caa8c740b02d3e9c8af6fe13c17d818f56735b7713db231e13da2bee870d1dfbc633b0aa6d83cee438a2c8cfe50cf22af6 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9028483edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797768" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69D7CC91-35D1-11EF-8875-5E4DB530A215} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a039050000000002000000000010660000000100002000000004b8aa84248e92a774ad84e336a4ad8cbc60d5d468649d763a080817bbd9fef0000000000e8000000002000020000000a1fd8fc14cb62dc2f73585b0224ee8914d2e0351569049c72cdf6e338441ee1a900000000b52724ae203786335b80acbaa3e90c1652cdcd6ac36d2fc372e8fea5e5646bb3027e5d3fa6925b250cbc0d9fe9394c73a6d86f55b5c08a4d44dd3f7affe5e4875c4557eeb2375e415949376c9280aa9d5b7788504d8c49d7ca0726cb8db8671d25ad90b81ea4ad90b6fd7f42a2053b2d83f8378a23770f2066e0fb90eb4f1a27a5ba95e50ee4e3a658710c92bc1743b400000001820afc42abaf5a9a37663e706bb636d0bf2e111cfc82e107aedd5a585be21ee14203cf1567129646ffff2cc285f7144634eb5e7ab652fcdcdedd7e71cc6387e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2944 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2972 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2972 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2972 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2944 wrote to memory of 2972 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2972 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Animal.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3EA8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3F57.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66489b820a02c1b827e71755b35c6c33
SHA1 b81389c4b701962373e92d92d911265224c620d3
SHA256 be69dd66f1704b539f97cdcedbd98df3fc641b1713db925b1cba6fa4beeac349
SHA512 8cd1b67bd1eb3f7ad878bed9a0381f4c7083a784a225caf98c791d449847b9f3d2138d8e0c38bce4270351ad200f092058c524d3c41e693f9ca3fa5adc5c17f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 327904e3976fa85b4e99ab8ffec41c46
SHA1 b02e39d4993755a7aab66220d6b0eed61bfa6534
SHA256 2af3a34792c1ff85f84b676e5a12b063a1ac798f492aa91ed0a586d3c13c3d21
SHA512 d3f8f98a2df911539a3b3f2f4bf6a64e4f36fba2858658e9241681843b1d10de56b88c89634c8376a2abbef2c4e9ecc86ec05372b1054151682f17182fc6542a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5564a5e5bb8e13abfd351f8ce1953cb8
SHA1 c16ed686543f55246b05837446890fd8f8b00234
SHA256 e91c75f92a46018266b4f02ab8adc19fb11a9a2410e8810cef96ce706a233014
SHA512 937377ec0f555d5957fdc45a2e6571240c3546a4ad3965b5a4f771fcd8181434cb62626eb54b59ff551a02170e14249f615758aa590d4ca697e71fe27caa4ae7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fec2e83c6e60705e3f4fc894c37cb84b
SHA1 b655d76167b24614358bd8be40bb7ce244bee852
SHA256 2ae4122a8ff6b71d3d0b5b592630a28942b9b9fb4cfa6e122a997a47b05516d9
SHA512 bea6c3f183cab53f7fa50154c2e9867ad9eb4cc12ba53cbca7ad98374f6f70b562f263100327dade98780dc3e86b04ae05a32443f0bd3a53f9168f272b2f87ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82ea2c4c2515f6d727568fea4055adc5
SHA1 dd62fed2456a1a4c9a32a8eace34ed09a988e484
SHA256 46bc694d4be626b788d9b1b4ebe061bd014b8eff35e8d94ced2559e895e80bd4
SHA512 49e8d11e462d1442929624a225563227f7dd3152f5814119539316db194e6e5f75201208d6a3a479a1cf27ad91c04ad230805d9d357afd88ce9037fa2d0eb5ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfdd3173bb103e5944453fd9607f05ca
SHA1 e97af04a69c34bd8f857d6575dc3735403bcd175
SHA256 852dc2ce2b4ccc15290e7cb4f6b4a3cc1738de4604ad57cbe33b0c3458bb3785
SHA512 5452e19a7184b1c2a0e8c61e718b9e571293de02710ad6c349bbf3c29312aee5a727116ac0b76bcc2b0d41f67fa941d6eaf653d8b65426a0cede9b37d41af215

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b67cad919dcea0194946eea85bb06dd4
SHA1 2585c049308262f9c4213ecba77671f5dac7d065
SHA256 a777c989f71ba98e09bd9a634038ac19d2413d64498aae937c80282c7236acbd
SHA512 34412750324a818e38881212ee2dc2c1594f862fc188ffee27cf93ec963ce5ecac29c5aef764279a8c2f5b83ea6272be64fdd58ecc34af17edee0cbf9226dd2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cd2e8e9724f0da3e7830c05e8965edb
SHA1 3751e7c7e7f107d00b10de72c2361e8bebc33b31
SHA256 935933287283eaba06fdce6573ce296c50fabc874e6bebb803fe018a3f672c54
SHA512 21aed1d280481e8d9386a4550c22d4a07a0f2bc7145ad109312ea5af865b0c58e0057da1a483b5ef42a1fc3293ec62bdeea475001e37230b05e0a4f407b2393f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2058df191491fca4544c5897062e013
SHA1 25a890f315dc2ca6906fd6c915a3e4a71c758be7
SHA256 145d1bac16362cfab11b6c7f37152119d151ffb7fb387c34a78a671e7a95b3f0
SHA512 bb1bf479e5de9f09c9737549987a8d29c9d761cdc4eaa58b7a9caa381f13d862f0d7fed386695308d89a55a1b8d362c03b5920239cb50469d67c50afa1cb49f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 458005682030e2d767722ff51d199a09
SHA1 51e05368dbb651e2ff11f8a67b36150a06b24c04
SHA256 01a8e02d68e7af44083de6f66914a2adf9c97935cfade926370f22f615a28b82
SHA512 89642de43784b633d26bc6fb58fbce18bfa4d5adf6dbff7fb86e368de34fc6d4c1ad6ba03f876b54c5d94cf1885acd7c369cfbfedcc7895204d18e0f8f1718d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb1ad65fe348b18676c8b96beb5b1b17
SHA1 4402afd3d23b978910d07d659bab3668710d0711
SHA256 de839e228caddd21d3ee9667d2d505c31674919b2e3cbd05707e1f0cc14646b0
SHA512 ae3a3cf4d639cfc5aabd0b0274d39baa63751047144ded4112d71d191693abf6373e991bf061890faea61cd5b2f3d18ac4a530aa010e27273717be6043c49579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f61771a941661c4fdc5734ac7db6cf1e
SHA1 b74657c90ba056bdccddf5ea09fdaca3739adc82
SHA256 dce3eaa9e92c20f43037110ebc4cb5022d0455834056167f72e42f638418a84f
SHA512 7850659e0dd40b19387a2d8dac95f6af8ecc13018af357fba5a8de9d4433cd53d92ad2b931f44ca15c9d4ca2665bc75066b5da0e20c31255dc5ea8ba6befec4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4990d866fce37c2de3a0538e046b30da
SHA1 b2e14db41b5cadfb59ae128fc2fa5fbacc77ffd3
SHA256 bfa9e8a8dc1e260af59acaa9afb9096f9d533fd0dfb8541845d932b51b37493d
SHA512 8b42074e75afb0b5d591de615e73a479c6e591c6ebe733178dea54a3620ebedc82d0d06ce64de12d6299dfbf4f0ec7a5be6fa87c543dd2d64e94e95ddbb0c157

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 615b115e08565cf837f7544756d4f086
SHA1 4c4e09cda9a2ff5cb14d70073fe6ccacacba35ca
SHA256 cdeff380a2fcdaf00d48c8c3f7a24019e317373ef93d38d06d550b2ebcd54868
SHA512 e5a9c34f4b3e690e296e132607ecb56fd0e05ba8f72b7f11b8cd3e307762000771a07239354188f0f1a91ea73a43521e15d1db615d484f1c15d1d59ebb0e10ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cf8cd360bc9eab182a027e319655822
SHA1 ce3e6061132f4e14c4644f3858e3398d723e5431
SHA256 8c169e4c52bd93d7c56f66dd8fa3b6bf93ee2b90e1e55cb47cdad864e7a3503a
SHA512 670e82c3d0277d6615dbe984cb14febbf531b850e164643e130805208c737272559ed64e1066acbd289df5ae2ef2d70016cb7f6dfd09e562667f172601b2a448

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55b435a7267135dfe41c7621a2fa18b9
SHA1 aa401629db1fee96c113126e741f43cafae62a9d
SHA256 268afbbf9b808d289631b3284ec3a1cd6428ddea4c473f3b3e296051e1783a7f
SHA512 d85de610a6247be3712ee5d1b9e14286256ee55dd184e226085d076bffd5f7047fecbd2f8f7943c0a079306ff7aa88d926ae7048ed14b83acdb53c9152707d4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d233e22ee1d2c62f2e78fa9a2ee56da
SHA1 d75bfab777d2b8221e3ee33a4ca06002abd83ca0
SHA256 5a0ae256ef0819b4181007b1b3f1efc78fa917744fdf69b0f43cd0fd5a09b57a
SHA512 e9d27e1b5c278ff7f41e0f76e5f20e3b2912deb15c8f9fa583767b7a6bb10c32fe0862d780c90258eab4ae7a700d7dcfee8036b4cf742a663e3b6d3b3b31d6b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c339ecec5bb27788f0f0c63f68731b5
SHA1 e76f7dbe0e71a2b87c121c95147c5541de56d390
SHA256 3a94d5752f8ec35ba3683b0b3fc26976e981e181d823589a901b53c3b078ef98
SHA512 47f9273067afacc5283a0fafbb5eac71068b0cb7d90c1ef459f69d72bac0cae211a721ea346b55ad00742ccd366fabffc850086e993233a68f41c1741ab3acab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c4f26f40366f08e8a9795ed22ba43bc
SHA1 fcaf0a6010de50f5b20a2bb28f8446970cece7cf
SHA256 fda6e5ca69239204dd2caaed95e281b82101609330112ec37a02425de156d9b4
SHA512 d8144eb0414ee6b999a296c27c0fa94ebe5a47e68de56a263af538acdb6499ee14c6e773c4bc50bbd1776f1672d4b3ae78261bbabc5103d7732891ab08072948

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Prisoner.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Prisoner.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4288-0-0x00007FFB9E1F0000-0x00007FFB9E200000-memory.dmp

memory/4288-1-0x00007FFBDE20D000-0x00007FFBDE20E000-memory.dmp

memory/4288-2-0x00007FFBDE170000-0x00007FFBDE365000-memory.dmp

memory/4288-3-0x00007FFBDE170000-0x00007FFBDE365000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Slime.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Slime.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/724-0-0x00007FFEC1D10000-0x00007FFEC1D20000-memory.dmp

memory/724-1-0x00007FFF01D2D000-0x00007FFF01D2E000-memory.dmp

memory/724-2-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

memory/724-3-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Animal.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Animal.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1092-0-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1092-1-0x00007FFEE994D000-0x00007FFEE994E000-memory.dmp

memory/1092-2-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmp

memory/1092-3-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240220-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Misc.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0bdc21f91b73940b12f039b1c8b9847000000000200000000001066000000010000200000009b1c1eee7b5bc1e9d7fb328045cfccc5b8f7d61b383da921c7508580602064bc000000000e8000000002000020000000d67faac80c8376ad147b45b3662c05e89ce9c13a5eb42d83a7e195d8232683bb90000000919aad58bcbada5dc2be644401f7b10cd2d71ce2336a206d875d3ac1a3b7fc070981e6345c258af7e9047727eec40912950435861272d7732687d6119344818ca44943748bd341d238e62f81a03630603758307f1f1cff20bf33e47afdeaf55e87249342a8893a15b781717079ea20500dc6012ce04283a7a3718b4b634759618cab3c4d9130037c987196de866aaf6e40000000fd7e11f2895cfd38a6a92b4127b049918a14b57b8c140ebe7c8d4a4876c660b5bbf8417abfe32758a07af2a0035ca6f075e7a902e19000a6707826dccf9cdca7 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0bdc21f91b73940b12f039b1c8b984700000000020000000000106600000001000020000000acbd7abc3753cfc725c00fea82d8420ab8f10ff7b5405881eaff23bf56e3e7fc000000000e8000000002000020000000223625aed24e2d1a2fe301dd0c6b66cfe8e81361836a2dad5ffc077ed6083cb4200000001df1123d1ead410df4382bad3c6c77ba2ff5afcb0953267971a8211f20f83fbf4000000050537dbca252cc59517a48e705682c5ab69c1486797e42316372138ee6602c46b2f19723cd3a75f940274ae5f9670d5d06cd23b5bc0823bd379e8d5f461f7cdd C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{697B6C21-35D1-11EF-9A4D-7A846B3196C4} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8034013edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797768" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2276 wrote to memory of 1936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2276 wrote to memory of 1936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2276 wrote to memory of 1936 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1936 wrote to memory of 2492 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 2492 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 2492 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 2492 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2492 wrote to memory of 2644 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2492 wrote to memory of 2644 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2492 wrote to memory of 2644 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2492 wrote to memory of 2644 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Misc.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab25EA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar26DC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab4d8d3c0c875c1870ff6964f9d07da0
SHA1 643a56dc74f498a9dca21d7605a56ac52f48b9ae
SHA256 74389e220edb393087c42967a9231d33abeafaa1e90191c32d2e15de61c9d313
SHA512 ec3b2512acae3d9f5b7d89be960c55dd6123ff3d312d7c57deaecd6d152648a5a0b9254a8ff1dd60070313aa9d811a2077084e825c2f06fd3427a5f2236081ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66861dd137651bfb2f26feef8b481d89
SHA1 53b26693cac25fe06a90e089d93519745d68b9d7
SHA256 9b98a3ef16b3ee40f27a4989a2c48727c3ce4e04491b48441a3a549fe2c120b2
SHA512 2d4407dd0d6434b94342ae5356afc7cc041598a8e8e61139aaccf1249855a343b279a0a79c4b54df8c4c962c7ffd4d1f84c3bf7c51dc4ef85c1aebb00e283ec7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e10aad4f3292140e2e15b182fc43edfc
SHA1 112ad49ce946cde754695b03ef23b8082bc08d07
SHA256 2c698d6c15211f449819d110fcabbf854bb2599649c5667d05da75297a1ec682
SHA512 da831b4a0794f097c1820536bedf2d139f9c76004768a60cca2b84e4596b16700b475efb1f4201758874913262019fe48eaa3d7301e5151d9a60dd926f58a198

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8956ae739d2fcf1e4d2360b9d558f735
SHA1 d189ea61b823a157d3b78cb7f0bb2254b06a83db
SHA256 54b71d7d6fe43ce1cafe18720f3ff4f82387a09348bcf2acdb26240dcc1e46d3
SHA512 c97972634434bcbf0b4f5c2ec21210f7e3028c2d68aef1ad40afe04df15695ce6f71b55b2208f04721d13f034f8299250a8a823751ea1d22584ba717e9888524

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80c857de51001d8b858d20bf3a81f910
SHA1 8f2a4340cdfcd438296a096cec412eea8a0e7a75
SHA256 b6d02e6fc8884562506b6ea9c8465ea76f93f6f4ae1d243044f7799a003760ff
SHA512 6cba51dddc4d1e251ec149f94537eb8e3cc4ede7313d943864aa0e5eb94774a38b02ef2f18d9c2ed7c09a43895144a18fc2bf9a9d4cbf58b43179a314e4fad8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f647896628e0785a2ba3345a1a3a8527
SHA1 abc16bd7bf07e8bdf7e5ef2118b76a9103b1f8c4
SHA256 410b5db9984ff37f5bed495b0d94f0760f12bdf4e64eec76ef6bb06f32b2c06c
SHA512 aea983808aa91867059286ace8f331663acbd525a3892c425ef80541828a9b30ba0d8f07c3ef0e5e7bc499ca85abcaba3f6a4fcb7a7d2f3b298297cbee0faaa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 921d4005cb13b36217a000b0b1ab2fe1
SHA1 5e0a454fa45f2423bdfceb0d9aff54523da279bd
SHA256 f8c109f990cbeb02daa6754b42fbcada045da6326a77498ce67c1021ccb7b69b
SHA512 d98dd1c44a465193401c2319763b3681b99d52e225fb516674483bbb4ba6396c4d404dfd8bddd5551fa3f4cb7844d5758164aa7d0a2686652367723846971789

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e78c9a0c7fce04fb2f8129fe78c2759
SHA1 86cc1c486251095f149649e166f888e7b5e8dbdf
SHA256 0311d733e9886d4c4bea8e791221abb17216459110f0d307b8dc1e8a05109ba9
SHA512 ba11165ca8c0bad03b6e8c0f3a5a7a11e8c994bdb56319229b9e3af7e58cfb4ff57d51a51d39a3f48ce656ad9674fe22a017f4f218df74afa3504282302a5613

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91e4988e1f64c3c87f2735d6db28f6e6
SHA1 9166ba2e29b349951c620bd5306074b2368d70f0
SHA256 dc49314775aef5605bb3965ae7f7db52978b98c8669a2ae1cba87d6f1b5af2f3
SHA512 bb18ee65e2cab8613456f4385a542e2f777b939428c6093b2b667ef196b1c4b55502e8b2a220b6d2093b7c8c005a652af56a91fbdbda07cad4725c9eb4473c8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e737dee3f412fc71afb6ba29b32c5fe
SHA1 2aeeb5ff6a2ac5742726e089976c31c4c09ef143
SHA256 331cdb4fd96aafa2a453fe607537e24ef9cf100dcff25b65472b8aba65f45e0d
SHA512 75d7186762d497912b908efd28b8c394efac1b9d3baec6c5893f394218fe01d86a320291ed6c5da5077dc16ee9f43421875d3d969ec4e364cae2ec82cdd6973f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99023f942853429992051b45ac93ecee
SHA1 4a3a46d26bf3f5b7d2bb3a3610ab8edb22c78365
SHA256 cd5d043b2cb30092068f83851fa2eef30eb19e6b9fc0af3eb5ca225382ea1edc
SHA512 b8243ad730c95b1172a1774ba8539b276da9303470ab07d50b41f2ada89134293cbd1d23ebfa53110177ea89ab9dc97b4c6a582f66c9d8b90a8c9e83c79a0300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94db11d846254180719c07facdabde5f
SHA1 1bf69ec7e5c650401c59a646101fd24b2b6de53a
SHA256 c5455c8bb86286b4bb1e4eb8ffef5ab73fa72fd5ba5552eb9e0b71c36145c6b7
SHA512 348d850ab972aaac85547709e78bc5861f3ef2cd5c5bf7aec4308dd7cd90de5392f291e51b1da940d28e275abc35b31717e3a39e7b763b379b95561b7fe23a76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd2265357e8759a4fec8817d17579f67
SHA1 ee0f09a951611dd0197fce88f740c67b069cf52d
SHA256 5f11b81212fa8a5e703f20fbd13f081c093a02c1c2ab1694d7ca6ead2339fe5b
SHA512 715fcf3c5cdeeeff99946004a4c57cd9d6377ae5584a233ae3428ddd0ce8345b8a7664f4ffb0ce4e2681fd1d777a99d8fe6046d27fedb8b1464365f7722b03ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 788455c57b647703efed91e3a2cac623
SHA1 e01cd51581f09158fda33cf2820ca53df521a5e0
SHA256 da5cf67e50128081603737dc8837681d62fb77a357dc038ecc541d33ee9cc542
SHA512 dfda244b59798e346e8705aee2071ae401b5bfee75499c5c793c1f2351f38a09dce21177fd9ac542c87bb65ec403e7bb957202c470769440616355c6a25517bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9ae4892cc54623bac403739c29bccdf
SHA1 f083d7dcbcaba95403daa80104b3b5805948be74
SHA256 cf985a1bc01a198d8e4e11bd1343a39a5cc9a4e2b67bc1dd9c5feb55bf359495
SHA512 ebf93ead6fdeef8df57f0b1ba5672439a7aa24e0ee854198058c47bd3b8febbc8eb42b40aa85cb5ee0c5b0f25c6000eadac2f23542cf04b20aa07dd3f949fc59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9d6cbf6a10d599131b2b2f239117afc
SHA1 8132de6daff5faada9fbad1272a4d8c12e60a5a1
SHA256 97e68a598556f27db077b88d750046927692458498243571b7ce321b34ccab72
SHA512 4b4a848364ce64ea6e3fad2c5f3accfa9bf065002484f9d4c4155a7a1b0e09cf54a791946f77f8055df5d5a8b8044bee6c30cb4119a7cdac269621cbbfcf63e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc04470cf64c8ef465865b0e7636b296
SHA1 a22c7c115ff7d96b971e97efca24521fce738bf8
SHA256 748525a2356895458e0f011ab712ccdd7adcfe1d56aae04943eca2b3014317a2
SHA512 2d8268db4cda6074d1f06c2e849121f0b6f55604403f5acdcaf4eabbcbe9ba47bde95611d612970f9d304091e85291f4e67514626ba4977f2c09a02105f81e43

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Nymph.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6957FDD1-35D1-11EF-BEEC-D20227E6D795} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005cee8f2a1b0f3d438e415d880fc2673900000000020000000000106600000001000020000000f767213d679a799ab8cc85547a88336e129e1a42ec5a7e1f8fa8759191b34130000000000e80000000020000200000003f204e78cd6551d44522a8834f47193262c0bec4a2c6888007d73da093aa45dc90000000969af8b914f3f928143b2f1b9d155ff1db755b389c07f9e76df81bf147f0ab20c3d5c6bf223dd99f19027fc37a3089eae91b51c25680c0bc0d9eae89db4a1c52a6664daebc8e0f4898a08c286c2ff990c7ade5f9fbaa2137ca2df78a459f420ece44a6db33dca99c8e2857a6ccd1a7099b2435c8b96c1774df25677565b3a8fa768180d9fed62d81c5477d5396d2b73f40000000b9ad2a69ad07308ab5bbda72c97abeb950d9077979e33e66f21bea74fb1a0df677c42da9bdd52507c960c9711ccc7f8625c03fbd1b63e1119a9c9b25463e6d45 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005cee8f2a1b0f3d438e415d880fc2673900000000020000000000106600000001000020000000347ca5039071ce0e5d63fb35350302da7fd432d157e9115d66d1474873369459000000000e800000000200002000000000339c1000cd2a00967e760672f0a67076a8a8d31edc462f7e64a1f159ad665c200000009e8343c8ec8c26178b148c0249241733d0edbea9db053f25d51a4cdb91c1db744000000043ed048d8e9038ee27a910461e591eefd0188567cca7971b3075a9fbd6ae2919acc2e14a3a6a1d31ecfa2d4d6fdb883b77528c575fb469ca4bbd9bf633786047 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00cedd3ddec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797768" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2804 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2484 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Nymph.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3C87.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3E04.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53934d624ccdf05595d5458cbdf216e6
SHA1 e0551a5c7084dd49869286f1244b6e6540e2fc16
SHA256 d7440296d212f735e75c3f7569a6907e2d6d994a8bd2613358f7929e3a08d35e
SHA512 65f97a2abfa761123cdd4e3b994dee3b2152afe55c68488ea1499b5cabd86a8d757e912bb8bf0fe2cdc064cb441c0feeb0aae164a56f9f27a7d375611b6565bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a6163e11b10c4e041d5173e6141012b
SHA1 5131fbc787b5b282178dde4dbf194869b153cd4c
SHA256 2d520ca20653f0be80e0221439aa855fd328688f7fd30d447a93e524aca4cd1f
SHA512 5e99490bdd0b800f3ccbef8cfa8a655801cefdf9d843e9bdce20d2b8101af6df529519f153d675f1798a8e212e60b3f9c7e85f374ce40cbcd51e82ed2d644bcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d861f355818464f3cd96e2ca0dc3a77
SHA1 e11487b624a6d5062bc4f1ee61250da1fc6cf482
SHA256 cd685258a3fe736a756df2b1d712eb07d0ac74c8178104f8be92646884f54d6d
SHA512 9b8463ccf5eaec0d5d02fca96644947eb20b98dd86f6483d305c6855eca52dfb353fc81db20acd018b2c7ac009a7ab0f4ce03bd932af23769e2b8a7427b9b26c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84772e39a56d85c8a288be8726e8f2f1
SHA1 58e439e60615507c91699c86a5409f5164640bf5
SHA256 37cdbb8e89543a2d8ccfc464f34f5433413056f4ed16dc1839b992779364c36a
SHA512 114487f205c2439e1ff5a70927c34d9422bba80578c08359307a0a2d5fdb0bf61a837c787f5c52b8ba36700ac934f29d9537d817046e625b6a5e98058d855ced

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35e4bdca9e66cf338250271a28bb0118
SHA1 e906aaf91dc2d2f06c639773fe9ce0aa3877abbb
SHA256 a378c91c7cb338c4a1bec639d7eb3e96c956fcb381eb3b24dc1a118ed148519f
SHA512 e5e2af3932d8db57d8587f4f680931eac70cd76e403186faed825c79428c4a443b1e54116ef24c7c6196a5ba343018a91c351568625a415b9d616a49a16b6b96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82e8867fb9ea40b54926a5ac7c99605f
SHA1 a67b276594ed39950d11adb96d1630057bfcd349
SHA256 bad262bf0e13ac5df89a3ed27133455cc6060835c68837cecd4148736fc29b8f
SHA512 f4190308b8fac187ec2c6f466e355ee3f08050e5cab1ff906f577c12053705c9fd81edca94ebad7f52627716a8113102c0877e9b0f07ecd41157aa87c2e32df0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 784742c6569290c1eb05cbd635b0add7
SHA1 2b45d864f2f30052a000ca67d1cb5c3f3e02acb7
SHA256 4e23efb1c8d999f99eb656134d834cdb0410f27bc92d5eb0fb8da9f7169271cf
SHA512 6aa6530870c325907e16b1f716069a720b2414f292894521a2ff8f6c1a9e5154eff70880d2543693fe2b8d28fc3d1fdbe3b1a03dc7db6ad23e72728097814f1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43bb3ba44290dc8c558ef480966d3694
SHA1 f74bbed342ec80d4651445a8c3381869bf7561a1
SHA256 4b13e6bddb3c20452b3584cde9cfed8735c5c3902444a6955ccaf6433291c04d
SHA512 8eac0c1d96d799f691bd63b0f78f2ed476e66a5b843c827445aef49cff0f61bf15ced36d5597bc4a86d22647e1254316de215c08c5de56bbcd4823f2fada3e4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a6c7f309484e3872d6241975131a5d1
SHA1 8800348e9cca55db75be240dd7211aae398f91b4
SHA256 b9e6824c7b54a6173149d795cf3d3226c33d28ce2bc772ff11c6f690df10a493
SHA512 aea323a0874427f48a5510a10e43ceec5fdda9bb654de33475a5f625898e9ce51af2c6ff28ec37584197325f226d10a36ae03e603e1249fa28880c5c66fd26f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4e7ebc3c18fb34ea61d6625d83027c2
SHA1 6156b0068e9fa1a70919273991a520b8b2b24c3c
SHA256 1cc44706bd790eceef1234cce10d8da6dcd843db9edf3a47bffe0356a23053ee
SHA512 2c03065c959bf1d2718c3d6191fc19d03c0a1edace3e006ea44e7ee6d234eedfddc6f87fbc283eb27393f386e109f8255c314bf924ec4d022b42e9ab81e12f00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11b3262354cc02edd4d916040aeefb89
SHA1 d9a90c016a89a18421b7df31f1eea0e921fbaa6e
SHA256 b749b9b11d36014af2d3675439274fe6fbaab13fef78fe3fe7ae942c532d206e
SHA512 8bb70f9257f5c5968c65291eefab0e88ae8c27d5cd9a43d5c3c28ba885fab8ce76684775cbd033669b0c5b5c4abfe94c7efd1de6766d052ee8cd89734fa9c4fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a21332b53c0e4775ae01ab518077642a
SHA1 ce6b098669ee86cabe4f5915a2c2d0af7480a9d7
SHA256 a021abf76e2165cf90153268756cb1268dc93b9d34426a71ed86bb690ea1e473
SHA512 9f6aef0ea1bec718bf8a8ec73f61a6175b748c60f652822aba6f18075d042a3a2f1f26656ac6a11c4df3eb69b729b9d1c535373be2f344e5cabbbfc415e5300d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dca713b2fb49a6e5e2f0ea7588811b8
SHA1 3dc30632eaaa14be93bad87ee60a13a300984c89
SHA256 d9b52a98ef651fc2f0d49d3f22be4bbc846387495f54107a9d6d0810d281d755
SHA512 15e35c0df7280650760f877202d651493922cf15a0dde621f00728102ca672266856ed74e0983c66790bd01da16859896745c5f07f3d0f47e150337e2d896a7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09438f67f7fd314397b8ae7a836a9d70
SHA1 c31929f2a301f135aeb7cfb0cf94afc513b59078
SHA256 0d54f629f56a76e3cb5e64b146a129aa6252cb60f1d1ab1d79a3c47c51a3edd4
SHA512 ea43f44e8761d32adb08448f453b1a2c59f39866cdd3b6ab103f7a95404a8a5beccb70b4871da69dfc74237c40bf3d2df69543b35404c209de664b0df5852d13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a878f35c6e8b0d0f70a2f29f804165a8
SHA1 47b2aee6c58cbf3002c88cbf6ef93737f261da6d
SHA256 480104efbed944596a2e688f489ff6ff11f4e326863e753ea997b3040d126340
SHA512 e97a5d91fd6bd22a7681274693f3faba56c9779b2bb28e607a52131bfc5171f3fa0336673f08750227df5ec0ba01c3def85b6319e6a6d34edae01b8ded8b8bdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dc5f4dd8ddeab5e61901209d3bf70dc
SHA1 3436057ebd92060b037b66c8084aaf4dd12aad7e
SHA256 3e6914c7126d7f4ce5e25a9c7bb8100c5cd76252e8b4b039368cd9a02cd19a1c
SHA512 d1765dab55c0e28f4368a641db84e99905926da79ab47f87d71a67d0e508fe4718e71982631baaa0af0e6e1fab7476995bbf13a5e156dd55c2030c4aab0d5acc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b1830b0e9f8012c48502852d0adb655
SHA1 836b9cd7fded553a3f547f79652fdb4b2d43e345
SHA256 e3df517f37eff9fc79527cad029ec784e361137fe1c44a77e71b808772c3547a
SHA512 07f1d0f52eda93359e38012afff0a8570dc6fc6c6884e0ccb80e6833b89acd6cabebb2e378f7790ec88b93468f72643636bb30d86ebf9996fecb331d19301a1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea9bd99e46abf5be5e4efdd37b7f4c65
SHA1 e5408c634e9b7308f472f3241c7d6fae6c16aac5
SHA256 88f2737195dc2d4f22011fde109689fe7d9fe264882bcdff1652d5d5a604e35a
SHA512 c9053f7591412aab99f538b64d632dd26acf2b5f81e47f64629683b9546036fdb8238d7370b958456d465a487de606663ef2ffd7f04c02b91f45740b4f3eb19e

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

133s

Max time network

124s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bestiality.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000079e8633cbbd1038f7d0ea645105ee9366ba753a883f31465d0e870216d9c3381000000000e8000000002000020000000bb5615b19106ee4c67fd8f653bc5b55fc13c015db3840766e9e919772a9d5b57200000001665da0b44dfc6f2e36f320b5ef284d1037eac9cb7ec941f148d94bd26d4d1df400000004f1f42663f6c46b2ef7fed4eb0b426e82269b0d6f9ba906581c2d40c8bea009af920b76a1e8fdc3a261e80bb3ee5cd604ee38d56d101dd23f5e902ad6c33b3ff C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ab22dbdac92b0151d00e4d13b4c5451ca9bfdb8fb977665972a4d8e8caecedfb000000000e8000000002000020000000293d61db26379e0849d4ba2a6ecd5e75f6f9cea19098df0769abb3c6721caed29000000019832cc276375f6cb8f7d5e8d66005105c041b425ce14d64b1b95532fb48a58edad7de75b467455dd040228567b9764c81060ad09eed42affae9343bd35e0a1ee77fac8176e32b04bc735356d8788a15dbfb09b18f4c518b5fa929aa51e8c46d50f1ab409fc25651b01b96f146a6bc49e31cd8c7c9053fefb381a0c4800217739cc28e7223d6650b363e66d3d66561c7400000006a335d3ac93802a7990dddc1d03b3830d3da9f3024ac90883c102950f2a1872880a343fa7c2acb4b97327b58b4009c20b51919c83a5e8684dd80cf02f329fb69 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797790" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{695EF311-35D1-11EF-928E-6A2211F10352} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a02ffa3ddec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2640 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2128 wrote to memory of 2640 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2128 wrote to memory of 2640 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2128 wrote to memory of 2640 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2640 wrote to memory of 2288 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 2288 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 2288 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 2288 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2288 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bestiality.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:41

Platform

win7-20240611-en

Max time kernel

120s

Max time network

153s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bondage.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000b9f6f3b2cb99e3172b6ea46991cf5e58aed009142463988ed5db734b6431df95000000000e800000000200002000000097451d3e2129b6b0153ad3bdb60ff7848976c2f75d718f55bccdc52e0ee6d4ff20000000b9bb76897ef7eb6765ef2140ed71071fdd94f14aae44fcc3872320b3f6387b9e40000000c8c96a6686e3c134d12697481a8ba1394dd5bb88a1a738d669147fa91d99bc88be186539e0c639416a3abc951c1eaebbb87fa6d5d0d46736b8ff741ab86130a0 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50535947dec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797785" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72790711-35D1-11EF-9A64-5214A1CF35EA} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000062a591ce3f21ae679ebc868eb7883cb76b4355fc3230c973116571604c4f17a3000000000e8000000002000020000000171434af9cec1de0e04ab5bc7ff9adaac34d04b1ce37285bdf55c18076a9db44900000007e7116e75737be0c492277816c20257e201386aca648d6681a9eaf395f7167b4703ce74278f6b5a8c756dc694cb50ef5714b40e3e5fc3f0ef0afeeedd0eb809516a59f048ce448657acc4949b258415f524a443276f88df8834ca6177cc99dd0fb012ea3390c49217339582a0debc88856700acc9a429183de9b6756fe5ee9f8f50c7952cd26508ca5531f65c7ac2f1e40000000a33a88336d1164225a81c1163c5446267f7af66c21db06c55e3d81f3f7f53a1ad8000385adef16e997d900ee8fb57d029bbc2cf519fd0b992e2d863fc24623d3 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2064 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2064 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2064 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2064 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2064 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2288 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2288 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2288 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2288 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bondage.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB703.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB783.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5a8805cef9a0242aa92cb863ea4dd6a
SHA1 f6084efedeb92ca6d3ab18c8c22d83ec7a3622a6
SHA256 45fd6e29884f99b941e85bb40504b967c41070ef62f9bcd79d2c78c07361580b
SHA512 53a3c18d7ef409190906920d7dbd70301f944b098656a0a9b3c572b16979375c7b8f8c4b18ef2ee9e5c57d8e7f38ca21f79d5acca5dbce97f7a6c571448b2c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f9b46517ee2bbf498f5b6436520c6f1
SHA1 a0e997d958d76e6359bc7815f5bdeb6cb918bee0
SHA256 f8c66786c4124d18ba9be5816fbca13f167d197a0496d8ffef36088017c8fefd
SHA512 8796af475a9acb7c4e419ceef2dff095426a8e56353c7f5cc0cf9d316036a64501abb84398853d0a0a0b039c66a4764cbdfa1a23f21e89a93747b2919d3ded75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3822a9346e0ca87312e110ac23e65862
SHA1 417f37a76ba33884a8deda49a46d29351e8b9350
SHA256 50cddc63af4bd838fddfff78da2ab6f0cbb5cbfa1fc937632731fdc6ae24db4e
SHA512 b0aeec3fb7d6bc4ee0375d1077e3a1519b1087218d0b5de3321a1449845a82988f297aacd2010c53f60606bf181ecded60e665f50889d53921e85ed6ee15820b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16d9da36cf5da888a7dc6faab2c8c9f9
SHA1 598dc14bda60fc7bc1de2f44851be55aa2bfd0c2
SHA256 5818e8514cbdb143022ea5e01649d301c22599b1bdff7cb209d245b2bfee32d4
SHA512 3bfc955f32567a2cfc45189029cae7ef446b4a57dc5144a1fa13bfde40ed789e273e3c686bf3ae0eed53ece4e7030a141c827c3e7913c89bc4fe4d738c722628

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8579e8d22dc8afd2edfa0909200928a0
SHA1 10372fd23b824130e3c33511f4996f69c75c95dc
SHA256 0f5461b4a0000be33d4a13606790112ffa199955719d8d6b239cd62ee52f032e
SHA512 a0a0f5a0ac500c4b7072962fb8f9d25d4822ee4121c61152cc52e4c9bbf06ccc81408ccd8b74fc6a18a5366fb4fd7ba93c24f8055b74dc846c4900cc2a91dc2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21d0030db5924447ba920b5da0a8aa82
SHA1 fc326b0ca2286e758f166c74bc2cc32417d6aaad
SHA256 06becbaf6cc4bdb1c8ee2ba341592ec315e4eb2af64e56b41df47269c3c7e658
SHA512 52deac36fc7dcc05735832d3ace6c9c6aa587297d90dbda3ca5b6e9eb26921aead66d348d745240db0a0867b13197a6f5aae7eff19a9e9b2b3a1bfb655c0be4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4210fac8725160a64fcd550f3f45bca4
SHA1 078d9e685c565f29b9e6537b9283ffeb487ca988
SHA256 65e0e043851ca2b00ca9ab6d1a1dbd5d609cd29b1c292aef65ae93e06a2f4b58
SHA512 8f7257f66cfe361a5033854e41a07f9cb4435789a1ec8a2fc7b108ce1b71ce2cd3ac50a874c9c8d500b7015a1bf7aeb3bc4790f87d566bd2721dea126e5c5866

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15f1cdd8c5556b21f0696baf44274ed1
SHA1 017810aa90f7d33a8fe6d6b4fe107cf6aaf73061
SHA256 58606f3c7263ee4d4d836a6526802c68cc031b6de0f9550891e5357a8ac88bdb
SHA512 003ccdcbf4da7c93a9204af92d39ba2c2178c57c23fc3ab9f42690f53d7442cbe264a35855fc86579e87794a7042e8062104ea92e0fca38ef5922786b28b9cd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12c06048a4e1622d3224ad8aea007f28
SHA1 de2adb89ac2800b02261ac3f8764452738ecbabc
SHA256 ac6a2b3dc6a9ea48adb6935ec363ad7d443dbbb49a472b751be4f37b25a95ff7
SHA512 7ca4c04b58292e46d57803b581eaf7fa73cd281c6d08b08bf2cefc5190c4c363e5a75c151b3b9f21241afad1d6e8514430ac520ad02f18e3671c8ca503b65e22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df7ec31b5f8393173b600a84dd0294e5
SHA1 1a6771e48240e252cf70528f37c0824f42f7c69e
SHA256 6c1598c3f095925d2251fad70232400f2e488fc6305adaf004c6595359c87600
SHA512 767bd2e04454c635057edf628b1591b6539859806d9224e746a72d7ba46ad127d984bb162cb356c1157484d7d4fd786d9e1404c3b6c603e0bcce3e7c92308ed1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16f010aeaa90ae90acc00004093a8fa6
SHA1 c302610f957faf7dc2441eb93db64c551156118e
SHA256 e9fc61961d9300e8be11635d42ddab966d7c84261238e11bb4cae0de7c176f15
SHA512 998178e42039bd210238262641adb05cf931ac7e7d3b232d1431173371f3b364e611f653b6cc1ad44e604c3ffb41eda5b7fc8d42ecb49b533b9bd159023e753f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e25ca9de96e687e6ef035f2f889d342
SHA1 a6a15d257f6aca91515171520a4d7c4555a7aaad
SHA256 e42636d7f6a8b033258e0d62a38496502798f7e18dfbb3cfdb85972cae8a5596
SHA512 808c965714f8e63e99ee99ba69715209415650c36c94c09fb934a0a69f55d6639cd248e9899b0aa5f28eb3eef49ec410a3e3fe758fd531296407598012ff1a4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 540b250e53a28d1b8734edd365bdee0c
SHA1 6ba50a9687c96c6dd07bd9e6959cbe4af7398a69
SHA256 442cfa74fb13f12c6c6c465cd040aac7f99d4fb205186d18d84bb56e315c0904
SHA512 3fc5b969143935ed14a726152551fb7c4781aa52d5c716c04fa477949f06d0071ea4af438db3a1d83e184e1e31e130e655d0ff744841f9372fc7c6716540050a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1835984346fb62579991efbfc4f21dd
SHA1 83d078360d6493902684c2ea66c15c39e307a754
SHA256 d01863e47a1cffa21af38cce2e3332d9c773b7787c0435769bed2064b1aff21e
SHA512 0de70bf7d97475a2bee5795cfe1eba804e8e0dcac8c5d04338faf7a6bf43447996ada91ad3ff721d67500d4185d2eb6dfafd878f75a8d12e59b8389d05c05727

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 035d8b49bfd535420971487f93e16680
SHA1 25ff6c1c8b59ed201736b099f108a7f202bb4728
SHA256 d4c40f92823ef5191d70ae6ea688836cfdc9c0387cc181abce48a927588d28f0
SHA512 90bb65dcee03939f6a889885718c708c8591b9db98fbb742b030649a4134af03b6b81940ff7fe1712221294df83a7206f1f00a24f43d9e93fae5f11eb10bd520

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4500966a04e5a25bed68cf9778876b5
SHA1 b434f6ee90d4bd3a46c012614bb00c767d92267e
SHA256 c87c90928079803e5bf4c7d75bb656a35ab01f90bdceeb33879c04462a0e09a5
SHA512 6c238c9112f8eac97c2c309627b9b833f8632353b6ae9cbb25bb3d729b3ed13e9282481488cae03f79194a5b37509a6ddec63c1551f818293eb8c2a3f64a2fd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 282c41079f01844f055bff5e6ddbf378
SHA1 481cf9e544c003100b9724216de2daf24d422826
SHA256 c0885face3eb3f4b46736a29bef68fbb8d96b45fe9551bc5e7881d6e9540a476
SHA512 9f4bbd27e42511061654318149cb0ece1123b8ece4128381c3861f5902b2d346984df561d95a446722334686ccd634ee965ead281f3f7a914815e8ab45cecab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 399f659529c0bbed10a52109664e6db1
SHA1 557448a6f10bf195e8f15c98792529b2f0b889a6
SHA256 6efb1b5f6461a3e0b5982fac99f743f31a44d404d93c98d59eb8229ed491b480
SHA512 e8b2f521d9ec541ab4cdf0899c95c22b1aefe8dbca2eb6e2fe4040d81cdd3b47b21bfeb791e81bc9f9e90d2e6f1202927172fa6e166580f30e4199155146780f

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:41

Platform

win10v2004-20240226-en

Max time kernel

116s

Max time network

200s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bondage.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bondage.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4000-0-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp

memory/4000-1-0x00007FF9F578D000-0x00007FF9F578E000-memory.dmp

memory/4000-2-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

memory/4000-3-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240611-en

Max time kernel

134s

Max time network

131s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thought_Family_Beast.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04df53ddec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797768" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000ea516e4f14e1f91146b48165b6a247c9cdb0f3699f9f58c1cea416e429baf309000000000e8000000002000020000000d8413574fc32663dff8584312d3347e9c72d573a32ab5d022259e6521f54e5ff200000000e5f9a9f8a0f75762befd3308d0c95ddd76e58ec2cc1b184e8a8a5a435051b4540000000debcd1d50b2a063a322b910be9d5165f55c9fe64214f478956c55d612776d16ca59e58e138661ad1595e1110c22966b6ba7cadcd259f385180fc5ca1b7e81b47 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000ad343fe93adc38b1cf01295a1054f66d211d24c68029067faefdc9207af9a8a2000000000e80000000020000200000006724f60a10278b8d105dec27f14bae49ca4ce010f89803e5daaea73aeba64c4690000000cf09eddd59683252a877ecdb4c146eafca85d0466d829dc9f4b34b8675d16492271b3b14a1df9904df22d37bb373b58f101b503c843375610f01e9670ac1e97bf59d9c34001d2f5c84340c5a1aaa887e93eb78e357e96251c7f4be2ec9c6ebc6d1cfa274428634856ad151352874d5e180642514d73c7e9341b9a1286a1e4c9d2b0d45cb0fc9fd5d7b49985ac566340040000000f96792e447013096c03c8347b52cff4a5d0440fe3b5a7534ca410463a8004606aa187f6dc0bd7876dbc9fac4f731baf12383a200cf33283dcbd421673d7f581e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{696D2BB1-35D1-11EF-8132-FE0070C7CB2B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2144 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 2144 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 2144 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1716 wrote to memory of 2144 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2144 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thought_Family_Beast.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab55FF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar56AE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04e364389e84b56cb7cff65e9429598f
SHA1 6074bd5a6944f37a9da18ee1bbad319632e199f4
SHA256 d7b1541d99539f36a5e36bb8518468223146e45378768a59c154f41a04a26b07
SHA512 bbec0a48fb20534f7a7e05afe0fd0911ab042a518f6a9c9ad047f765db99b7bd4b6e5ff3366ceb68dd7f559f14389f3395fb4651e2b170dbc42355b5e3c6d607

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91d9243f39859e66c858355aced13cb3
SHA1 65687c87dab3cdda82c8ec58f5bf7757477522d8
SHA256 5974dca468c3e251d2a157be85bb16fead27c4744afc42e2e11409eb3c2dc1aa
SHA512 43e9a0b31fadb45d0500a48743ffc46d00f5221731554b26545ddba973df790697d8bc46142b2bae2de0f29159843e3ce0507cdfc37ebc59d50baa5ce20a183d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35f4134070fb6c73dd1a00ba0ffb9c66
SHA1 3eb449d8ea49c117ac28879dc594b17fe0d2e517
SHA256 fcdd84723ccde324175bb39e8bdf3fe9ee1555f6ad8df27e2c308e20d0df0e8a
SHA512 a54d54ed362c3210f81c156c3bef407c1f845fb41208793438932b253639d4aa38290ba3871d0a994a17bf27a0845675de522690584596be963752dff9c48600

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a625296d180262f3ab527334db6d0ae
SHA1 8173353039bf7affb29309afca0b82e71f8be9de
SHA256 78182699910e4c99f919cc3c0b389b9d8c5a5afd0c37f0308929af6935690934
SHA512 3f39905cb75fea1a6c7e4a703b76551ca96e80cfddddc0fb9d1721e333742af3527104a985fd23a82463abd2dcb6ef53d1109824d483262a6c40b5e536948a47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0c95c5ff89f23edff09d41ecd2e06c2
SHA1 81ab81ef0746754417a9676a9ee163b90dbc6506
SHA256 773505f9de6abadae1c9a9634c5e92b9f895343d38d18397d094bcef7cd477c8
SHA512 a6b490173e9aaabf8147ea59dc1cd5075b7c7c5391fae816b91c1a31f136533af01a55f505da01c2a0f44a602b0d33720fde5d3eaf7db058a4534dd2d27a7d3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b957b0a4c43eab4b7ad70e1b13a2fc3
SHA1 08954d89d2f2b558a9644c04b92661de0916a7ca
SHA256 c03812ff3512b1d0cc71c57fd3bb65dee9642179bc0178d1dc7562b0a0561282
SHA512 6d272a3470e8b2430043742321a4a7c0c7552e3657e197b71872dc9651983f282c8af36b4a9470e3a4e2fe9d5adbd673e798dca9d1a4d453b9b2ccccda422805

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 040047d38b5045a2bbf4c8b4ba174143
SHA1 0c7e2b89b87d297a79e16e5327a17f3a32103d6a
SHA256 1cc4cf5c9afbd7ed883bc07cf6bdc261acaea39f1240b0bb1af8b3c21ce9e849
SHA512 d2a89e42598347426a1a3ee447e02f470a4a849a61a87f27644e437f76dcf084d4dc33d35742f555c45359875017231680b6ad5e68e2e8353bcf74c32d1419ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7be9d7823fc794058eb0d781fbe61de
SHA1 6036c1ce5ed90c60e05b5786dad9ec75e9715bce
SHA256 62a6ff7c37a2598d57fe7957becc4d72150ddef7f48644eb21e1eb40f0b83d58
SHA512 2d1f9f884d79514a65f7bd1f3d37ac9037d56f82c5a59836486e88ba93c4ce7f58b33bf7c8b356386f1fd144feeb62764db44978454cb78c09d9b796478dce95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae70df6bbbd9d6497ee073fd133023ef
SHA1 159250a31b50afd1d88a1382792b35ef86c9b943
SHA256 6b5fdfaa8fff1c4fb2bd2608c352cf4a9bb41b59f8b93b764c012aea57ca76bf
SHA512 3f091d4ef1eda2516007b88343d1778d3ce7a1c3691f712a62a0ad12d6065173ae561cca7e7f267f4851c0ad1c3963771622c1cc7db98d685e89e144247843a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34cd53ee9e5b7a9af8ccb56eb5ef53a0
SHA1 7e2831ca82e30bf991a9767abf42bc1df6288ee1
SHA256 2ed99546dbb0713496292f8452070602901c24e619ea7713dbdc20d3d27a5316
SHA512 1d519f7b8535de8d1f1b84778261ef4138ba4c64b4277b581fc568f1d8cc5e5bf90e528b4cdd796e391d326e52851d20d01a7d455a4a70e551b15a4aedec9046

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d0eeaf3769c17edf051922dfd5551f2
SHA1 49d35461234eaa96509a289cf9f6303bcc4cffe7
SHA256 f34ff421ae77a044251d0a228133be4db1edd5ab8d52ac0cf0bfd40513371388
SHA512 b321a92ae84d22c3e59e8b35e021f216ab9766bf97a3e981405b6e2d8ec3ce831a6961301f97eb523a36b10c35fcd5a8789e3b19e1949e9a652a22e9b67d785e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a457297e2c0196673fe004cddbb3df3
SHA1 6ce321eaa9beca526d2d33f99cb6fa29e55a15ec
SHA256 dd099967a3adec93ce73e31c68b61d3c86fef5a727b36e27b22be1a85a9fdb62
SHA512 34e6a6128eea1839df754360c495739b0aac456241cb45c8409ef57555f2855efc80973a3dea61cbbebc41a4a103322080ccea6a0d3391395807c3d9069932ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e380f6aaed9e7edee9693850a190e60
SHA1 e354ecae51b95a5365589447d6f601f04c97508d
SHA256 bbc696ed0ae1d14789fe8f91b09b98cbfb44a3d05a2e0bfddc926a39378b3422
SHA512 ece990963b69e419d68d827ace3451ccf7962889e8bc9d66690aa57e4c755f967dcee95c5d415b56a360a7ccec73ff8a0315dc2f7a1bd105f5dbed46232a7c39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1183e826dbde1cbe0d36d6959573fb1
SHA1 ad3fde70d377f9f34541871ab675d327eff55e85
SHA256 42e0018002f2f7ead18bb441ecdeefdbc4ebfeade5cfd5533690170273bb29c1
SHA512 039d61fbf2a728c0531f568124bb54e1806334a3a4a437d3acc35c14e337a85e5f12a9f4c2a418afb60f2b887274b5e38bbd4e9b4a36bf723ab4b090f36cbd07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d9dc1d1fb9e2619abce02b585f7e069
SHA1 3d2fcd9daa38d559146b88896e6d022f8a46d79c
SHA256 42a14b1f252f88273add66e68f751b9361ff894bad14bdf8c94d90bba2de6f53
SHA512 2e23ed6fad7c16d1c3f5d8d969bdea2bbbea33e5110dae3208e4c0eea2f56cb862b93d5e64c035d3237997a2b6882ddfae76312df614f11ee75a2e0de4e90a9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78ac0f4f2d831894ca222faf0ad606ba
SHA1 918c60648d10d4ec7946757ee6cf561846eeb523
SHA256 d6889e1491bcab85b55cc345ced8e911264b5616e3d35a54bca5253cb1797ec2
SHA512 82deb0da3afbb6867392ad52995db4412a3c7b4f2dad604928f4fe36f4f6e69be703448f7e1e8ff2531fd5619fa91f7d9f8366794ccac9b184ed788bb2fd10eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0cb41b6ad1b27d7a0f516d16e06ba73
SHA1 6b85659a8db6693f90781d53bfe9563445eb1c1c
SHA256 35107382542b17424339e74c8bb4eccda9db050c8b3b4eab8f56a60fbf26fd90
SHA512 3658c6a7c83ae4b4c6d8b1da2a8c5522b5769eeea77f9b606c2e4372444691dec3f3d9a1afe363fff2187ac27ca7f4fe2826e1ff7f0260aee61cea70c8ab7f3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af123abd99eb201809e70a2e61426c47
SHA1 6d7d07eba65766c795ecebd23551258adbb9399a
SHA256 80437bc2f75dfd27c77e8b71e23d6a5ac38d5d388fdd2517c45224303ceb8c22
SHA512 0530716cff7e0dd23e4af5360c504c8e96f16c05296609303966418acd2cbdbeed6a7291d2443c1461b6229d868b813d298b8d800012a44a619967f3691d2a84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b20b1506c95285540c32307d095feaed
SHA1 948f53a06c2d6812565d6815c778ffedada06bc2
SHA256 fcf070673f6e6bd2556bbc6afb993865673a749c99e946185a71d1e90407fb1f
SHA512 8963b5945563fa596a872d81a21758c27d75b2a8072d7b107f5ff09a44b4e5e57aa13095e2525d55cf4d0e664a0632a600ecee1c886a64ea110afcdb880a944e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rjw-master.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rjw-master.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Bondage.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797790" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b028d83ddec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69597CA1-35D1-11EF-9BF1-5630532AF2EE} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000f34bedb1ec90400c14f49ddf0f7ef5c33d448bb6d7e68d78182eb65992339f48000000000e800000000200002000000063721db2bcbb089fcab1be641e34af6e79c6fb47a8c3f30931754bee01e3a69190000000f1d06cb3fb943c8b2a0a92d0c55a394b0bf2e675eede1f71c82bd5a637d66927a6dd04556d2bb660ea1bd7494a7aafa5d8a980390ca52a4295ad8531f5dc631e8741910ab32a25481b408d06a06d477699afeb56f231497a551b70984afce972c0472abb29833ba98aaeb2b9de269b2a9faf2dcc243b3c1a42bfafdbf40d87285db5cc1e9a4951cf69c26af007480ae84000000040ea196ad1cb39a51479136977249d0d298e5a7144e172511b3ceb94a1ff8f475a4f02cfa82c25996875a0df5531f69b3b883e364b95ff282d64842388f8467f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000045a6e041c1dd088817f48197b472fd35874fe8c8797b77fecc4af4e34b3ae2d5000000000e8000000002000020000000f8707a2d01cf994e3a8ca31508847a57e3423e1dae9605f7554568b38e7e2e4020000000f014590f9af093b6528042d772e919535c82729dd6380ab4f8687ae72de077f640000000287b0cbd7e6dbecbf5fda21514bda0d2b22a6e1aa615d890954e0a52fd950dae032fe64c04fca16fb80308893d394b1156722acd9505e976f27c4d708e8a369a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1616 wrote to memory of 2856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1616 wrote to memory of 2856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1616 wrote to memory of 2856 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2856 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Bondage.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Nymph.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Nymph.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/4152-0-0x00007FF9703D0000-0x00007FF9703E0000-memory.dmp

memory/4152-2-0x00007FF9B0350000-0x00007FF9B0545000-memory.dmp

memory/4152-1-0x00007FF9B03ED000-0x00007FF9B03EE000-memory.dmp

memory/4152-3-0x00007FF9B0350000-0x00007FF9B0545000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:41

Platform

win7-20240611-en

Max time kernel

117s

Max time network

150s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Insect.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797784" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04a0548dec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{725F8BA1-35D1-11EF-B98D-FE0070C7CB2B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000080f0a6d9c23602e31a0c07c9360a8d8c7788296a2725e0736f454bdb7ff7bf60000000000e80000000020000200000008547ec69cd3baa8f90184eada468f77a4d4aef32b4cc23560c18100e3cc32ec4200000003b861464b18947f28f745c5dd667ff7411fba538d722bd374d6298a6dc97cd314000000076fe10405a549ddded61cdd40abece78ce9cd2d8ac6cb8328c15569f80ea5826153168d9d12b1497ababbd1d6a44bc05f3bf5eebf3a300646d7f5f94436ad1a0 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000085293749242bbed108993a303f2cb455227066a3c9dee454926fbe3c9baae0e9000000000e8000000002000020000000028af4cd3989c94c1a3a1144455dd4b1e9ab08a5b5fc434378fd9975b1249c5890000000509cfa966478288c93b1772b3d8880d5da9219709b35d2dad44f59095b9a1889014a67b7e8d00f713ccc3395227d0ed7f5ab37927597ed7228709dea6bdb62fa7695d7875a72a2332e1e2322dfc0a9f3295731e027c3dec9072a693c38f7e5bf8adc1f74bc0aea2f090d15afab059ca9e958ecbf6cb8fc8cd42c07694de2afee22e20475e41ab8a9b22584113844082440000000f97b071f2345718a008edcd5266da257024272052129c7c32f7f799bad4b25ec16e359b9ea71ef01b8316ee42a5731ec3fcf83e88fdec44dc4b436156ff9cb80 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2088 wrote to memory of 2572 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2572 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2572 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2572 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2572 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2572 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2572 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2572 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Insect.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB648.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB6E7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b60fc396a726abcecdbbd0ad82268b74
SHA1 0c1585964cb749518c7f22a030a388a0abd8cbba
SHA256 0c1d49fb520fa9be534414962061b271c7da8f9e9897924f392cfe10734e42a3
SHA512 3e9f9d89939a8ff8bb824dc5a4448ae72d66fb1799ec0fe18745555fef50a7f3026f081e33410f228f1f0ca1abeebe87a7e49fc3f8db23121ab169807b48a0e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed0cf5c9f6c9c6beb7440c996bb977e1
SHA1 b76f443ea69c15210718e58f70272a97f58f261f
SHA256 029f49bd91ad89959a27648e54a38b8e5250b66da8542e754f5faddd5d10ea77
SHA512 5088152db07f1625278471658298c2a9d9c745a75590333d6ba697d27279c0b985fb5fd44646b3cf0e77395d763be34e7fd8372ffe9824bc646ae96ee8cb444f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57915330c00fa3886d447eac499e3c55
SHA1 f5d46691334da02f8cb9c803c338cab64e978e8c
SHA256 01dd0168396988e581853ddf362d0970ed0bac6d175cffba5e96f3424d26face
SHA512 064acd31914526d7989d6cbae0c4cfb4945083ac809ce7e7d1110d9360c0561ecea550c75b1954df80da645295fe3b6396ac96695cdadc933b53401bec82ce3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6027dc85341ee3bfac87753b886a2a39
SHA1 1c0bd961b694356351b3b5292e65eeac8f93a34d
SHA256 4999cf791031c7b6014253fbafa01dc77a1f7ef093dac1155ac2070a788f7fd1
SHA512 2e80e8a2cddae12132aea54070d12571bd03ea97cd0bb2ac1e9a3657113c40d6d69e5236fa22a85dde59c9d343b3c6795ecab1af1e42f61f5ea52c9f9efbc278

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3246dae26d43c0d972c234f044027927
SHA1 5ca93c7c67bdbeb594a49580e6b454fd096ecfe7
SHA256 078c9f13163bd927f463542acd81d836108f88ba72924784654ec765b98d7709
SHA512 d343c9c52d6c721ea9cc1e6baf07ee35a51e49db4a18bd633d4d5e5bc67848ab47b368bb77b77c955530de200b1e0315739a219272d69bf5baff8fa7c3ef8304

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e43fb0dddd1774a55c3ad2ec422f970b
SHA1 d2d5feb2392d10eae4bfb28f579a275cdb8657a2
SHA256 e5d020534842b7117d3f284b15b5c23ab15f8c6c412cfca95427a6aa009d5ec4
SHA512 825fddccd28d3373cb18d135798613ed6dc807e8dd3445a7745200809b6cd2d9afdf063ab8b1ed0ad407757eadf510fbabf16d48fa5910778ecb16d59c7b1a0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70e18063a7d771e53d69081fba070780
SHA1 08855d49e4c554391f23147025e1af85fb3b6066
SHA256 2f765eaa5307b1c79004b6b75c6ba556615cac4872f5f0357481051a9d922e28
SHA512 9591718829d8c6033987eb7a5298ac2edadc056585a455ffdffb54ecf30cbbac637440b840abc81c2174c0c227ef677187ccd5d4f02028c8b779925f989be659

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e484cfe764c8f3e395b9060d98cb6ad
SHA1 036723c435302c90b6d3a90e8319b8025dce0840
SHA256 9abc6b4bb3f440e3560a5fb4b308ca3435b94c6117fb1f693834cbb4632d97dc
SHA512 1b319e49f400ea22c03c85f1b27b67711a05588e4ee89f19ef4f16b4ff5cf8d21d915f3c8dd3a5eb3b5f74a1903ca33ed53cbcfafc1a6d3fe5f6e4275c881f08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cae399babc80ed3910ea70e2d70f26c
SHA1 9b7794e3475a7d488f7ff27876ef38bc8626d765
SHA256 a4dc7c6a40023bd689e539594209ec710251db9290fbd1818f632e6c567bb0ca
SHA512 74d74710d34b23dd53dbcb2fe15663606b8267fb9ff7db84aa414734f0b30ff2895c03de9d95044bcbfbd437865ee6bcac24a941c82ac17f2b686e3aa52cd6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c64226ecc1122d70eff08f8175fa4e04
SHA1 fd0846eddceb2882747171c3c2ffdf462b4b229a
SHA256 26399143d0cbce0a8fa931c99727c3587c0ab124f5444c0848a83f1581ae7640
SHA512 0b143f3840f7d2e843ad86e319e5c71b5ebb059c667993530109fb0bf1fca0bd40fa1309b4039a09380e87285147e16606204272f282eba168f9ae9807a1e3ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eefdb5fea68e51565deb3cdb6e065a72
SHA1 c6976a44ddfbb129b5aa0b68cd0396a3f00a7227
SHA256 2a1cb1d0ecae4c6fbbd9dd24dfddd09cee8fd2e55ed8f9cc9dc09b99b7898d51
SHA512 0950aca0e644d9e719260ebd8bd1aebd1e52af781dcf967f8860c66a8a5d0522d6d3492cc58a38b95edd30a444c17f55e2dcffff2a9c2ce08ed82c2876ec8da0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f1d3f97cbfcd49cfab427d93d8081e0
SHA1 90d8f54f2515188e52c5b8024a40b086aa1f60e9
SHA256 4c2a16211f20d5df87bd81a2a237960200067b46e9d2898e169e7f7ee5f27182
SHA512 0229e35202f2290ee90dbfae62a459e94e0cc7c7663585ef8a7c96322f4cf8b2c0bfce00ff8a185129927f0dcfa13eab74377cf364e6cbad943898a6e016c1d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19a4e81b852db78bd3b5c04507de56ba
SHA1 d45436882eb8cc6f771bd73fc1956a6a9b881cd9
SHA256 5449c10eb300e6d86ee11d2ffae35fe42200329dcfa86f951f77200f01d54f76
SHA512 4636fbb0a57d63fc39073803648b8689b2a92cde11be8dd72f3291df40337668bac8d2e6d8a58557df0bef224fce9e5273c2df43e3cdd69e3577a6f03db7f7d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 321d37b12fb3b6d0f201611e073b88d8
SHA1 79724b64618f751aaa88c29e571d6a820099e658
SHA256 51de49aa104e8097a6eafc3b1fa27939da49c9109ce73d7bbf404d85f8fe8613
SHA512 c4b2dea44939b074ed12faa589d807c25bb5d0c5db46135ff6aad144858d0eef780977461edc3ed3f11ef8d8697ddca100ac97b245a69320bd96345da669dd92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e8f908d1b88973ba19227f83073899f
SHA1 08b7c417349c87b1e446602eed4b5ccff9a35c01
SHA256 245692e59eb5f50fa828ffdb3f3272cbae4b9a8f926e00c9a04930bfbb58caa5
SHA512 8f11be80148d1c20ccf54972ac171aa4567b5cbbc165ea67a227d14e348aa984b1f29a71f453b1e710511c804162f3be42661d4f83101536fb7941df12107e05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 727d8b31d06e681b3a589158a09a545c
SHA1 fe470115cc7ccb04add39d68d5b448ad49142a44
SHA256 544085bd4a69c2e817f769c26334a42bd02f2d46a3d6aba3451cd3c7f2682c04
SHA512 eb0309e75c7f60c542d6188f88deccbe23bb28d1c8060b593f9a13b1bc78f3c2b67eb71c4e79e280a51d057fd1f0e5a11eb99a3b4ec602b620a218e234965034

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cc64c936b6f6620dbd2315fd0e9e1c9
SHA1 68399680f00d515907e0b4684e75e9bf309c1fb3
SHA256 c47bbfba8d8e057ec31a04d5a94053cd5981bd91aca4b08e16207a96c37b46ff
SHA512 480b4abe284afeaa98c0166bd6d37faab891cf295f285f8953d06fd79918226c40a2b89bc4414662c32ab793489970effbbb7582b55317264ff72d4926080ad7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a124e4c4c8534e0a9eea46136f2b86b
SHA1 65ab8aa64d0e3d95c14d0d4906ab3c80bf6ad2d4
SHA256 ad466c7fadbbe5ff436e7b27a134a47a6b222e255a7907a7756e3bdd2c6848b7
SHA512 781880b54a1b0177d2e4e801e08ab4bb66ebefffd8b562d2e11747a555a10e85015f2c6b8d3f44e9d5a107e60e3f40995fe05420e913319595a6c7e5c1182b34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41325fe5554a1fe9df3c70c47b434e0a
SHA1 2fad025f7c40c58faa967d9ce116edd3bfcdbe80
SHA256 41e30d0326680e553a7a8a770b7d67684a9b891dce0fd949a496112df5e64616
SHA512 7d63a6f7c16e4b2bb1779fda0c6c83f658d4ef7afd96d6958672adfa1bfbde575b31b40bfeefd92ba468fa40607c380528196426c8e656cc0f8b08f41ef7280c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 824932eb27f9651f4ab9148dae1adeb6
SHA1 7c157be4f2fb708890c4da3da2d64b7c35958531
SHA256 1b6fd9ff104861d3c0218448d4e6b7ecb7137c02a1c24e31f9e78e9656f9b4aa
SHA512 7b35742454753aa4d7f946b8bd3e1d3d1993b614bdad1d2d226b555b0b7ce84980de0366e9b97a1efd49013cefd15e2cfe23b8b6e896c9d76c2d64cc569576ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce033f2bdf4d7f79868ec25e9ae0e999
SHA1 b79f3ad42853b1c674af9c5f2dd9da734b220f81
SHA256 3f942ad159bd8f7dfd860fc4cec990b2fb27129401e5f8e4ced97f3ea708c465
SHA512 818f749a2802682883fb876fff0f6c654e2088e81f1a0a1c9dea107f18a867827b8677b4b372f7468db5a180613231034c92100ad7064e2b4636c82ef4df180f

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Slime.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A42CB31-35D1-11EF-B8F6-D6B84878A518} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000cc03e97807ca474f0848bc3008c9ed8005fb83f76d143f276e48c7892bd21fb7000000000e800000000200002000000082b8998442b0943c8d80782dfc8f6b495b83ab49db67e41d78d68c2345546adb2000000071826f20ae0f044f43835ed50b6bb4b2caadd979f8a6058533e294f058f74058400000005cd0516e75e8e27426376dad7907f929fcc9e85d3360dcc462189e0d72645b68bbdf36d4ddf252d060266ac6eb33f778af188939e0ca149562f58258a54719d4 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797769" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000004b0077e527522a8127d04f4db8a0359b8bf8c589ab0b1c784da0ca23b9188c9000000000e800000000200002000000061edadfe90021e2fa5e112d40d2024981e57b7ac7ccbab3e8eccf6e0ab7b97b090000000bd8e447fae2c98d9ee5d8674345110a12b2d217d6f2084b6e93e1dfc2de6c4247a5bac2b34d0d96c87d88caba8db77382f19655df716756ed7f05f8f364126dea170d8c954249b44be0cc7c2ec9350178d4c52f95360d464836066a1480dc354c2a60c78ff2a7c6e3879e0612fcb81db860ebda7845692ac287bba02780cecc26afd62c3285076fe062df449d5a5ab52400000004b96a08d60dccc200029db54f04779570bdb2d917aaae596ccb25dec32522bba24c5f5fe92a0d64cb88b45b987a2651d3ec6ad378e894fb13dbea93c30310b43 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20edca3edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2812 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2812 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2812 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2812 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1320 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1320 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1320 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1320 wrote to memory of 2748 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Slime.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4711.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Cab4790.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar47A5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0db560c23b8ac68d64a1b5b0d95f1f84
SHA1 6fb5a878adb63d8a7f28f8d98ba6d352a3a00b2b
SHA256 cf8cdbf967ac5db7841a6f64dc046d25e256fe87c942c9ac53edeeedeb5174f1
SHA512 36851ff137d55ea23d9fcc37dd150c198070d4cd9611083a6e465a46aebff405efd9d0319ec6a565d909a9ed43a1c0c218a14ac0644a4c064c99dbfef4e7daec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef67f47edcd8f65b9b563bdaedb12966
SHA1 46ceff26c230b87a96f325d6609214d304e3c727
SHA256 d1bfe4c8834e96dc34a0470d900a33e7d452c950c002a8aeab2a7a1e4ebe60af
SHA512 01347cc53a300fd24bb0520a03396438927393b0a9c2add74984c9b27b008cf2d705e3118e7da34771fd1a4359a4eb3f8aafe4bf09cf25c713244be4119efb08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c62b4f8e8ca2670d799f2cffc093831
SHA1 95b3237a240267f686be86851089a7fd5e60c683
SHA256 4e312765715131930e42198b58c5b3829673359dbcf30cbec345cd574bb02c38
SHA512 b0ef902548397c91dcb2f26e1dc71ce27a9ebb7823b363330ed0342eb6cec3c93ddde5f879b153bf15ad54be5202a1d557eb915094c207f4ea6b3ef32790404a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac0966d79afa97af228fcfcfff5c6fe6
SHA1 cb6230234c037a22abf85d1f4c1c475e65e5a462
SHA256 edb5abd26c884e41badc2448c9e39860d682333fc8ea72180c76ab0f05b0f8a1
SHA512 c0dee7bc352b759ed11960858a3a97e2c88d8dfc9f37d3328a6f908509350e0e94c16975162c2c5d5451f78c45c1daf8d884003ebdbd972fb943f187d1ee6b19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c67aac757deb762da8fc658d1741eb9
SHA1 8a2796b59c3a418b0a25f27de2114e23491eb2ee
SHA256 99b086e73e679ddabd80189ca0b2d4696e0a9b329df75f3bca78de31d143240d
SHA512 f319761bc6a16ac79c7c2724c2552a8cf85667bfbc0cd4d4d5d43e243ea2d5b68bdd1566dd67f04d5cec41a4dfb62e34a61085aa57cde02e057586dbffa06848

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e6f80aa785aaa73d5bdb1b26f6f579a
SHA1 e94ecfc88b84e4afe7b6a11002fabd22554daf21
SHA256 9dc365ef1429715c11e6693ab2b00ab284e93e568b5b2b02a3fd96dd64b48189
SHA512 30e7ce8e47fc8ec09c35cd74a56330f49aba9d1ad9415e1f6758c98fabd6efdfe06b84fecc7eb4c911e4bf0994d7eda43138518104cde122e3a7c2fd16877837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa18daa21509ae56db3fa9e1f50b93c8
SHA1 e046ec8e88cf623b6c8fab78de32b02ca31c18db
SHA256 8c3c60eed0ff660cfecf20506cc3e7ab9c1910a0f099dc168ea2ff623c8eba93
SHA512 96965dbf3568378283599d5025f3a1756edd37db421018056ca34be26d5750abab59eabc3851b292d1750931f221bd243b1f0cc1589b45c1dcdbfdeefcce3011

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b63ae092318064827fd7091a42fe8c5
SHA1 b0cf99ba01e3186aa816edc0700196da8734f0dc
SHA256 51102b7508eb681a3839a97b54f5a6224950df3b8f5a321e499253628d4e5d34
SHA512 67b671adc49ef78c76e77d4f573967429147fdad846685fc36cebfc332b5db71a4b3b33379a075c119127f4e481681b6677dabb0e154a743a7e78c5698e40373

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e75282fb59d74ede9099a9e9ce16d3d6
SHA1 e45ca6ce7110293f4ca79169cb06f079df539f56
SHA256 1cc94fa5ef399a0072e3f1c201f4dc45d8f46cd486869459571d064963f6bc0c
SHA512 8120ea16727f1c94457f2507a852563520694d051b1f0ffde1260aa545a5548234303de5b5f6fdcb2bd2ab86f0ceb384ba29a2e05df1fcef0bc400d00361d0fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1259288b50795bd73a6765db2605c11f
SHA1 a674bb9d59a5c44df20e58b18b2bc88b6226d63e
SHA256 e83be225e2368bfce12857f690ca08ee9569cc8763ed7219eccb18cba167ac50
SHA512 6eb93aa7a54b28f6c467a82358f0fbddaaff3d8ed1e21a30aca46c49a1ec0d72981a6d077d4acc8e9887f1dafc3b2f6c69c120297e5684f826e8cb9a5bf4cd69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a1e79fdf13ff950fae2ea702a18c3e6
SHA1 5e3f89857bc58a2c8b3e3adc31dc41f5354c4b2b
SHA256 d5977944fe162799c10c207c4f7afe11d14be17bbc4fb9475c67e1c62e6c941e
SHA512 91d473ea1d0227dce5b8483e559c07dca48ea2a133b62a4adff27267224ce536926224d8e12becd8192f263c2833e1f715974ab1a85bcdc920597483dcca1761

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39ee7ec9a033e5c6c1ef649c2a53a0ea
SHA1 6228cc79837fcf5e458ee3f2dcc80280b5e29d78
SHA256 ae9c6e42af9c69a7813fde906886948c1290094e994dccd3f1ba60921988ae1e
SHA512 0a2eb4d29b6de832ac7809f2ff8098240acaab9bb4dd15a407b22a1c001df36d32aa9f5463ebccd5a51888e585369b49d53168c582697f635af7cbd9bfc8bd55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a969a54f3ac3451814dee1aba51104fa
SHA1 558b35e0733361072fd0a4c59a57723e60626b20
SHA256 7866fd32dac2b6838dd6bd0940d96f9853d2ae89eff07000f27649b6b9892526
SHA512 ed4d36f62f47b30bd17debff9a173ee64e28a179db6bd43751d7775030fe970a9271bc5fa5bd4811a7c8e717199a8fd0b43dd65150fdcbc0f409ffe2d86ce07e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72d1120ded4832f90d99fe3a37812d7b
SHA1 a60f80b0f94a051903eca9224dc0f79f6a0a30ca
SHA256 6a503f06a54b026515188341eac1961ca1e1c09cf03688f1097f77254c9ef494
SHA512 892aaf372c8fda2ae714ea7116bfca8a915241c8a8a6fc5a40a226f1426ebe8007785685675553c857d29b958f49876900c59840fed8cc89fadbf6a1b5853ff5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 287b79496e515ea455dbdeef0945efc7
SHA1 4d02ee188a16a0100e1ca3e9b6613a2b5232befb
SHA256 5aba91356a993b3a7424223e2707821b08aa0772430f181465f56f1ee10be534
SHA512 34b325d345e31f485f32034e811ee07d23bb65525518803976e825527958e20e37f3dd07c9262880d482e3b001c260127d84b896f3e37e921bc4060749f4ec0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e9c453c5dd34723cc8915c521b8c948
SHA1 0dd6c8900a424c08301c9ece7e0db9ee7d1a61fe
SHA256 cac3e6dac27adf47e6ba2709ebf174bb5c1c5ef370ed5ed4963916a2a29ffd72
SHA512 541df36d62a3ed0f1f5b1ceb59de5371060dd2d2943c40ebdbd23c6c13b9fd21f4356fad2ca2273b4cf90441f43a32820e1e6f37e1ba331979ac22fec6774c63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c62423a89db6ae3efc8f6e782271fef3
SHA1 7f9f4df70e4eb0813edd21b0a70b30b3579e52de
SHA256 ef0794151311d1756c3a4d1be762e8853ca59059a44f43daef89c272fccaca08
SHA512 749e74751c5da6e02b8f1da8525dda0db13792bc4ce8a326900b7a3a4c8a3c49fb1f26deb60e66ea7f0730617c4c418c58543020fe3d4fb1f5bede12569aaae8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 617deedd1cc88aa6196bf9377eac14e2
SHA1 b736c2fd6e4fc8a1be2d1305f7a952da5a43abd7
SHA256 2a5109c267c9a48115d179e0919de928c14a9e2dada5bd10e7335ede9e488370
SHA512 9d63806840859a624aa4fb5f85b6a785bc1965790d31b8b2b75878275e0ac1e1c922681a131a4381d7b641c9f805b00829b3f7d59800c75ec934a1d50ac5491e

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Misc.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Misc.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3364-0-0x00007FFBD9BD0000-0x00007FFBD9BE0000-memory.dmp

memory/3364-1-0x00007FFC19BED000-0x00007FFC19BEE000-memory.dmp

memory/3364-2-0x00007FFC19B50000-0x00007FFC19D45000-memory.dmp

memory/3364-3-0x00007FFC19B50000-0x00007FFC19D45000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:41

Platform

win10v2004-20240226-en

Max time kernel

118s

Max time network

203s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Necro.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Necro.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/2716-0-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2716-1-0x00007FF8C1AAD000-0x00007FF8C1AAE000-memory.dmp

memory/2716-2-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

memory/2716-3-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Rapist.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000ec35ddf9e9f3ab2389b5df6b8eb3ce02278976fa728ddbd87f6e46edfd8fc9b1000000000e80000000020000200000004d6e8dd37d4f981fc510e76ac8fb234af1a738515228f57dbd9e6062a1556897900000005a57cbc2accba40c7b142634b4d43f8c85d8b37b9c68d0756a7fdf4a4adeea8d09678673c812c9bb5b7d633506c83c38c6febcaccbd78ae46b5e9b21fca1e73bff1cdab53231044dbda78f342a9755c4197edc6f88031d8f980a78ee7b0956f45aec71959c7480444cd079132be5fbd36b9b8abb413561ff082c074f6b6f862d7d2660926717ec112b15135d55321b4240000000d095d4a9f4d3b8dee0891cfb61e4b3d7d2fec584d7d1d0c154c97a42f1b9c9b1217acd931b017b7ee51dd59605b125f22891a25596bc0462bd1c784fa44e1219 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797769" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000005c23a561a562d504d18b8e3271999aa96b2c527413a23f95a97f456ccd57caae000000000e8000000002000020000000702168ec49906360dcfab9454b69edc2957e52c94270038499e444ebab11d6dd20000000794716c2061009c3945720f7866111c62b8b1da64bc0fbb59e422f43dd5e3ca240000000bac0d96b8f0f09384be55f8e0ab443fd80bbdab8378722c803bb3649a5fc9befd21da18cb9f9160f928a6bdae91619006ae60dc65a1b64b74042e28368a5d608 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500fc43edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A2DA521-35D1-11EF-B0DE-E64BF8A7A69F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2556 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 2556 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 2556 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1932 wrote to memory of 2556 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2556 wrote to memory of 2168 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2168 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2168 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2168 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Rapist.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab432B.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar43ED.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a09e4f921edf7ca501755dd57f67c1f
SHA1 1b37375edfa44ca3383f8bddd0ae57699b0a471d
SHA256 75e19ba3819a3c3a0c1f10b7360b5eadaf8f3f53ca5603993c1befc63b7d7e75
SHA512 1b098366d6bf7fdb6daa7532680d29cf05cc1f8c57efab1f6bfdc3c14b567e9d91912fe672aaabbeaeae3903b16359545226137717f43fb79daf498918d5dc5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e7df8b2b0a141377d74c72295a0dde2
SHA1 7565a15274a9f55fab895222dc5a425786888e45
SHA256 8091ad677ff275b79b22783ee9ec4ef747d92c59abf0c1df04b06216a53d8bfe
SHA512 c701419d9ad0e587c72f99ef9114898a0591c1603afff09bc6432f25f80d3bcd76a16998ad28377fdda4297be520094ba14bfd13a4fe310c0e235d835512ffd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfca3476a1b56da3b8af814af22cbe25
SHA1 536a3ac1b813956fee6c0221ac6bc932003683a8
SHA256 12596e02ba3f282b038e6d7cc7816a309143cf09b1f7b7c1da462afb7fa6d0c8
SHA512 97be2ab9258cb9dcccd2fac56ee8ffc8d67418af5e9dae390be4c3059788208b54dacecf4dec48c959bf6a5a553c52a6d2be52f77cbc0ad152c1d663bd91e35f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee77b404873c39c5c2043564db5f835b
SHA1 b986f17989f89f9744dc68468f550ca7a30ed458
SHA256 0ab4f7f113f38b637a1f0fc5c6ea6a7b856f768f2cb5b4fbb454df3d6e2cfbb5
SHA512 24df2d3c7880e6b0d6ca0b78d5cf44ec6fd95cc392a909ab9995dd0cce7083507f9869402f2aedc93d78ecfd5c8e6a0b648bd7c079a721fab55bc2064c618ebd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 774e89c4d0d3e569fc3e9cecaebd96b8
SHA1 4bd351c3d6b9578078d4af62b5af52400e1593d5
SHA256 3070dd6d8ff7c51381db5afc3d610a6a101447c32427d472256f45426f8e7e55
SHA512 90952e201badd57fa15bac1aa350a3d92806ee78eb3502dae93892bc47798df53a11fd20e331955152db9116f20394ed867d30a501dc8c34a44290b70e84b8a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e241beaf1c9bf70f831c3dec71ed4b94
SHA1 4418de40418e4144b3ba46ae12c630bce383bb0c
SHA256 7cb9825209d2028dae279d2bdde466fee49ca51871c858fff0396b6f9258ff32
SHA512 48259b17709a3dd5cc5e56e6bd8bbc98d58fc2d93b2d3313d6fa894f58544e7164193e2fdde99c1ff7925a7dbfa62064e9d51494551c01a452f63b2cf6e79c44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 353195317698945af5c7630adffebec1
SHA1 c16c3d4298e039b7d5d1eaaa8272d25f89cb76bd
SHA256 d973a92278c666ab818355ec51ae3001819d57d19ae8efded7c1e4f0050ca191
SHA512 5a105de0dc22d9c69fee13a14ec5efa2ac6681bf032f02c8176bd05748a5dc56e1dca6ba670359bc875152c3c48460821282e999114d25ca15ecebc6875982f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8f221f04c4afa9abbb98948fd186803
SHA1 b2cacec0b5ac64351011be0ebc4586a1696e4ab7
SHA256 baca32f4a5e8921b6af1310ea174dd57af2c2c4bd639455cc245aaa2026e1214
SHA512 196abf5af4cb6d9a229005c48acb194647f778811d2e579e30723706a8ef7a9aba3b796d97e392aa6d736c867e00d877ca473ad818ffa3bcaa46b0cfcb0a8a24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7fddfc0a332cf1b0c505161eccbf456
SHA1 e634807063e6b23957a4306560bab58cbf6a489c
SHA256 e21f981e81a5aeed246ce4b846ed7c9eaac6ca3388d9faffad3e7ba5235246f2
SHA512 8ec65414888a595c327282d101bf892f516cb9930cc93aa2ec25dde7a2b0399bb6db182372b39a11a26f5b173cc00a6d3a182ddcaca24952d256ff9915104a8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 118dfd1386cf3cc541f35a320315d2f4
SHA1 534598efcf15a1b1d1a98e98629820e3f2203fdf
SHA256 1504b49d7a7f6f0a5b24932a56d9ed6a563d5cfe58aa5a5f1ba84ef385af6d2e
SHA512 ac8774636bef45b2c624b18e630b02becd3867b3031b7891998884df1b93ab6f2f03d012c97b8f983ed4efca6165f2d94e54db036124162473b040a6c5cc29d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8cd650466c9432a62efbd695719d75b
SHA1 dcbc0c9c9fbfd1b7e05e1d4c11bba292efa355a9
SHA256 2b59cde23a075db18d2ca7988a465ad1383a852532f4b3870e9abaed365a0d57
SHA512 0426eb2550f18b4a64522ea84ac041014c3032c758ee710e96f9deb63534da619cd7f0444606d0a35a1101576e4b4b2f33f27e4dcb50fed99b1da3ea7ad75189

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b96a09f86be8023ec33566d876745ffb
SHA1 d874fb276c4305f0e65152f38f101ecc4e365e20
SHA256 c606f386c0ad9bb1cd393b862ea01c580d69d3a74f7eb94fe34a38277a58ace9
SHA512 3c14d766228ca64ab3679ce9ac8bee2e5ca22b1482b15406d05fadfbb946759f296a99bfa3108afc7b79b5579204330681b05d86b06122f6a6ff8b76df0365d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c183b99ff1ae0cb1a5ef7eaac8b9f890
SHA1 a41b6e9586ca337be55d6d2515e1420706849e32
SHA256 367d39b3f6f9a5e2fc888a08f48d053b208264c7a19fa30dbff2e643199d1fe2
SHA512 34c95ba055f5731a2b8e212652fe5ffbf2f42fb7eea56b531d0e338a389f437453993494302f82fddfa18be78511c59a9edbe9686150cde5f6e7c54a5e32876e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 964c523c85faf8481cc9d9da48bd48b9
SHA1 a4e737fdf27e53ff5b08e13c9c5822e7af6474d2
SHA256 2e0ded0970c0eba6d96a3598586f55968e5d563f357e9a1d54d2eda7b77b0229
SHA512 bfd55b189971eb5a846cc021d0e41bb2e66be5a1bb44a70135f1a0861c71f77463c826d917354e31546d1b79149f3e56e1227ccb49102f2a9eddd8aa563c2dee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81a2ac6f0d271abba1ec5f2e3e73cf78
SHA1 2abe62b7509164c13fcdd39a5f65573e1e700227
SHA256 259e99e636c2b58f89b01082cd2149e69030099b50d3e4152fe2951a7d2456e2
SHA512 4b542f808bc16b88a4110df0fef66fefdb6a1656e188f3fb9e586f895a696727cf2b16d051cad13063325cc127e04901bf5a0c2f8e1d9b35ee71500c4e547ee6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f435daf716b15604af961f21a8c4bd0
SHA1 b05743232acb0f0791965812f4b50ba342c2f83e
SHA256 723aa7efe5086278806c839dad886f757ce9075f0057202a35bd79e72205bb33
SHA512 a477d53c5f3077e57d3251fa3355d687701923eafde38520aba11596acae8b4616bf74b8c4b5636d1bd187648a49d7cc93bbdf1550cc85eaa74f2b4c6af80f09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caf236b0da44072404ed35ef44e0b03a
SHA1 f2f1ee66a1bc4951b0ffaaae0ce7c903456088a3
SHA256 9f35882943174f3ceffd7ec0841a2c0dcced2a8cc4ccc7c8113f211a7303cb36
SHA512 7dc1b6af6e0b34f7067838f0783b252ef89ac2b8e4d03e253c5841552ea0e1fb38546b9afffed9e1951e059108a5e3ccafdd39e35c131bdf05f2cebfdf963c2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab862eabd2839b4a0fc5808be822bf96
SHA1 baccffd9a9eec8a286e161b3e4c20b452b2394dd
SHA256 0d01f8e2f7d8f4047745ff3f0e93bfbcb05631a8ed3e747be55bff95cc5e0a7d
SHA512 bae99bbdb155f5cee4c8c252e198cd1b9811998916e705995a5e20ab5284b5bb526f803b743c809d4b5da2c7fea4e4a100f7664643758e4c8c4d796654dab484

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Insect.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_BodyParts\Items_BodyParts_Insect.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/1972-0-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

memory/1972-1-0x00007FFB5EF0D000-0x00007FFB5EF0E000-memory.dmp

memory/1972-2-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/1972-3-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:41

Platform

win7-20240611-en

Max time kernel

120s

Max time network

151s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Necro.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{725F2DE1-35D1-11EF-917B-C299D158824A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000037f7d97639396aca701370122ae25ec66c6688ee66296622e0e9735e61f15cdf000000000e8000000002000020000000d41cde107a3f261ba1aa96eb7b638d079c8d13f9c19cedac8306d8045ad14a259000000032a0b0a8dec7b756f58907cc05d730af5db0d1ba72f17bfce6402f4e3a571b87cfdbdcfbb883004015836c92919327b043ad1cccc13d3932d0f21b0b2ce35887b4e8babf6901b1a81e212715cea2806be805b73f1872abc169ae32da47667874ac553d502aee486beabf3e7459f320a13afe6b017930cf3c4e410ba5913b357b2067389b8be2140da2029b01813c0366400000000f6dd6261e79bbf29e5c544b502b5597e02b29fade68c96080bef94df02c9ef0e68b7829e62ac332eebfbb19f2e36b59d7ea88c4cfb5b266a2c13863b5b01309 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50886547dec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000f0f33d4518eb61780175a87666750580115f17b4ef9205d14f1c01fda5992c16000000000e800000000200002000000087968cc965b24732acda2bd017f1c2cdcc716c8ef4468e375d05ca4267c1e15e20000000f5a1168839ba0f6fa47b428c7b587a9843496f1b9ff9cf66c120b06e677a998440000000d6fde2c8a6fe77fb6464a6d8bb477aa62c9dcec08ec6750803e8b0d6b5d322116c243036f267fe327a10fe756558fef99317c8ba7d9abfce884affba02f419e7 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797784" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2068 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2068 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2068 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2748 wrote to memory of 2400 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2400 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2400 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2400 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Necro.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF2BB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF36A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fcff33c7a275d40f7c9d7b036a73f3d
SHA1 f17f0d8415a6eec5e3564efd6955e11a957f5d55
SHA256 b30d241ef62d4206edfab4c4a105c9a8fc26afc23ce5f51118e326609ed7846d
SHA512 dc625c783c84b2bd454912f729d9d65edca13dc9f445cf898cf6718457e927f8c125f42df89b6591978e938c245052efa6820bc369cbbfdd30a5a1fcddf2eede

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7af7311fa7966b2a05f64ce22c41a11a
SHA1 142093b00b91d5c2744bd8d0e82c64336ead68f1
SHA256 abd458f07b04dae57743a9fc61d5c346b9d23191e44ace8b4e0d570831928c30
SHA512 12ed5ed4a315d8372024e0a374e62decdd79595b3d2438991f4b611bd5af7ef6e13f3953e3eb699952db0c48897acae1e8bd2c8b77005881ed07c00e9b5a6eb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fc45eb4e2a1812fa9f1902e098c8bf6
SHA1 3367c7df6d2d968ca94bd714099a371af5ba33a6
SHA256 852a0c0f40eb11f4a3cf8b8d3a41a9c234714df759d5468f4376a024a26fdc0e
SHA512 32f4aebb9d276ed87fdd42e131c894c9e308988fc79bdf5769bb91dc30a734abd623f7942aa8ee06b01fb088cdb828d4a37f2e6881f866161a2ee330d31282dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 814375be7815f153dfa47deb856e7ca0
SHA1 28ef69ec59848c794feefa82ce47d2385f6c3aec
SHA256 747133afe5ec69c30083b9f87372d3d994eb685f9c2240191ee643f6b2381dbd
SHA512 0fb11b193a15cd91d420bd5612480ac10bae695ff65693056f4e5fcc42a67ec5ec9e81267f59254ff3f648dc3e6fc7440d74d5cc86518b7d5942c3c904c82ead

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dfbb2f8714d0e600d247941c74ffd54
SHA1 579a27eaf6794706e48597edc5686a1f5589da8a
SHA256 13dba149d19767f2f93896f2b4016639855f4ceb5178ad69d28d67f2036014a5
SHA512 5cee95f69af97f37f1576e6d5b8f1cfbf49a930df69e6d4b5eeaaa8d585b202bed4da97cfea34ab996ae591dc89ee59d7d8cb0bb77b806f2892b35f6d90ffc8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0224162c6c90c61af55af4f0fa0f718
SHA1 d9b12e955cbfc7a96a4e630b0b9b27bfe2bfbd1a
SHA256 a979dc699d8c60c471b6d837315ee57218a58512c38aa8f606b5f049316401c2
SHA512 85496563f5f6318890613e485212e5e6d80549bb535b3ce5ada7a5480a9bd5730a233168b362a00cc2b0d1578acdcf5b8372fc9c098cda33a76bc510c409f00e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3564fd75c2a39a8ae62f849c9f550810
SHA1 cb5e297f1227b1e5a2d9e2025559c1f4c75162d0
SHA256 ab5ffe495cbe1cd3991b0bf4c850817e0541ed0d028fcee20156227f6a84e17f
SHA512 1e0b061893547e0f41eb26c2c1dd1ee455a6825cea0c395b927529df0b46f47694d6d279b0e240450b4439156f3795997222b61ff52a0c15e959043c26378d14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11c3bd08a9c6fd5c300a3c1a99cc9480
SHA1 c5bc399e2d932ec82890b29e8a75572dd0a6e077
SHA256 75af4009249a5e7c72172919659f4beeb5398e72a87d49832d777e5a5d7dd18d
SHA512 8cab8612c62c62ed10bac3f3e54901a2313752cfa27ef8e3dd2e81486930814718b6c8e2c88a19d39204caf491601e50059b1b9e5bb02c15ec33319af3c3a5a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 959f4aab975538fae7a5e9ebfd7fa4e9
SHA1 bdeb79adedc65e69a0ae232f8f1cacc292029937
SHA256 2a7d5b2f2be294a0d68749d70e96211c01943dc15947e5286991073d31bb63af
SHA512 a71b11bae0586f83ea6daf3ecabe2db442a1423199392500f7e65794446bcb1e3800f45f4b1c04d992e0d66edc19c92148d00af4c8fd30c58eb39a6c2728e353

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c754be47bc9e6a6254500ac7ba9b871
SHA1 75c9a429ffd3e37d25631cb4e9f6f62c555af7f0
SHA256 83ff0001a395aa8e3573e6bca58a88e48158b2b8d4b30851a5cf41157c476989
SHA512 d286f3837b53818b77cd345819b9b9769b99b53d680029c5dab22d5cd68f92774e407f2b10051c8d4f3d1a3761ec3abe55a2bc9e04f3d5f7de3ab1b75b3d9d07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 beaddff8a61d19bd412f69197fc87840
SHA1 05a89e04155928b8fc2657d7831ad2f2892a6a02
SHA256 9fa7799035b40ab2719d559f83eb91b60eecc92ce584475b15e768cd9f08945b
SHA512 1cc8052626deb064472c679d3a825a6895f0f6de5b7b465789bcb6a80d3d1a9ddd48c879e5edfd5fbc9db64307f134a2b5182aa7a17ec6a2c8ec5bbb94340966

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06797f1a03b0971b6a075f66481cf859
SHA1 c832a038f28218b8cca1b03f3b9fac2f3f899fee
SHA256 7c3abed10c3c4f10335e1ad6cae358c2a4690394bc2996dec689ee66f1730328
SHA512 f7fcfbc755fc59432bb6f2554d50fdf4113eeeb51dc2cc77ad752df09d0c8382c6a95376bd99e9bb4905237783d85898e34957395ba83c43f7764b077e35cce6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c1fdf8c9f6a95ef2f25ada3a1b8ddbc
SHA1 b20429998ed71c22976687072d78fe4422d3a567
SHA256 c67ebe695d3c4b19e71f4adc5ffb189365fab45ef5b56c2e08931d634a304e8b
SHA512 280c01bb6f7e42a3a1c07f6e737273533b54c1079fd0948ecdca752d2297ff0f38a3a126345d269b2f42c0caa645d2a1fead9a651f8f59d88d7b86732137661d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 890e2c8e211f7823f39d10deacdc3df8
SHA1 ab4fbf895fc5864b86e371957853807b12254a11
SHA256 bf122c5a18bf16cd665518fb453727c8b72694dbf17ad4e977a34f98c619f9d2
SHA512 fe89f5f1a642ff37e08d800e4a40d6dd0e541fe3d2a36ebdb5d7c68fe65abfd1f5f3a0abbf778284020884a229925d6a58f66b4b3ce65c970b7c8d6f3fc22959

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb3a6bf1274d4d877223fe8babbac956
SHA1 712fa2c38006c47119b85e7b0298f03268a5875c
SHA256 9a127633e047db70dc831f112e04b5fdd520a238e101f792bf854a3983b35fce
SHA512 a3d0784e1a77ac30c4b6833392984de9f7850ed7d8289b8018dd762e3165173b635063f28db444bfe469d1eb19a97a7fe9b20a1fc0e23bb76a984197d91153b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13bfc2898e748cb400cdabe7e069bf27
SHA1 5a973d834fc4760f63fd80a55cb0e6fe8c3a46ae
SHA256 d6a37c9af4b4e8f5df1be42021a7aac0d0d356393f711413ecfa018574e6993f
SHA512 5d8e6587061bcc19801f83f2b7a1768049426043003f6afeb3b92f14fdc9de881aa719f46532c46f4d259d891ed47b0ccc32d0e56386968de2521a0df536d2c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bec0057c56ad07b6a1b8d0c4fc2a2d84
SHA1 34d01708a1eb635e862f3b54fe1c4906b58f4214
SHA256 62fd7e78bc9cf03094c362b0ffbffa0a33f39f43fb699d737b8478715826f673
SHA512 efec4cdb1bbc2d4fa2f65a7e4a31c4262fad9cd4f88021679cb782fdbdc03d06162997c3dc2587c312ba4e434bd5db078ab06de9f7bad763bd53e253a619db11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38f9730694f4044b02bebbe73bbefa92
SHA1 9f61f1fc6350d7c39592de32b0f0c7b8cbb061e0
SHA256 4f5ee90a32110e037f89f893f6565d6726bee718d2d46cf052932adebab75e23
SHA512 68bbde9a75b87ecf77536c5596e6c192deea90ce8c373fc830d6f02789b801374da86fc98133cda851a240a9ad8fb42e254a001946620a4070a6ac1ba820f157

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 007897021d6b9fbe51161930baa24bcb
SHA1 179aa8786539ab69c5b3ee6cca04e998bc86f0dc
SHA256 6501e7ac3e4278b1c12886307e0c4c9639c70ef444448d77c0c8e9176d503062
SHA512 f96b20f22e8c247a76e3c2c08acb4d93707be7c60b108af6c66974c9b3daea5a277c36322cb6c1b05c3be24c794dcb90b352cb3b20ae59c6edf3749c3f821148

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240419-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Prisoner.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797767" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000bc24a65d5acdea2ebf03878be9f06453214c0a73ba92a28e0ffd2c19579fe36a000000000e8000000002000020000000a76e0d1cd6457add8d0d6f5c41fb2a1150007e06f962c8b2483986bdf66fc663200000005af2fd165a4db1140c5687b8b476fc7b6c55ece5f4ecab37d754c7ea3af090c240000000882ba677a96a0b6e086595e3a64fc404d82083222e8e3b60a502d0f045ef61ea6f13fbbb7bd15c4d4e263a9d46201dceb51bdd47a74b29bd19cea16567e5e3db C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000001213563614dbb9a0812a316cf342e4ea27cf69d2cb49a2ea08e2738828208201000000000e8000000002000020000000d4fe61955d233cca038c19f8f0955103c793a4282f47732a7cc95c9804bf34dd900000004340dcccf90355b58271793826b97b6741c2386f878a00444a85d7f402e1285f1d2e5c98d0c75c5f93511354a2f24a81516e0696ed1064771ccc7f1305ec0fc2d36acfab040a8950b4c18ebac25569a686a3f4c73637ee0ff1915a38e37ad130fc5694b7b6f6346c35c8e4dbfccd27a2dd53b9d820063e40acb307cc1dbe43ae73a6664a9fe907012474374b20797b3540000000be4df6bddd54da2e4a16b862a763b09f53d4d37d14c678027f5b0d4f89ca8785f007607f4284830b9059d9ce54ed9bfaf63a37c4b642cdcda0188a8f85e800ae C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 009b243edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6984A381-35D1-11EF-85C1-E69D59618A5A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 2392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 2392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 2392 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2392 wrote to memory of 2396 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2392 wrote to memory of 2396 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2392 wrote to memory of 2396 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2392 wrote to memory of 2396 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThinkTreeDefs\ThinkTrees_Prisoner.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab409C.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Cab412A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar413F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbdd3c1c96da8542c3bfb36d9130cfe6
SHA1 40bace914fb19b037240bab94b9b9e139a125faf
SHA256 88363fc0699c741fdb48a392ee6263bfbef98d56cbd8c55ced4e1ab77334ac19
SHA512 45128de02a0626e9fdfe4f38046c602b23da555ced1f3c729f3911b8b25071b4c2a08ed4a1fc56308ca8ccf95694dfee66fc8e0cbe2f5cb95d680ef1f9f28a5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c21853305c359650dce60ff23abb1a0
SHA1 11f907343189c3e4fd1836eeb471159b7470d440
SHA256 9d19424d2c104b6dbab878616505a53ee739feb2c9607e29998fff8a4764abd2
SHA512 91b06065ec9259213c00911e41ed75967d530d0ab49fb31f11cd65bbe233ab7dc647e751f8742e9f14d16bae69424573ce27173fa55dfa4d69e8d95722dd1993

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88c487ac30192e09c15e426ce49e3645
SHA1 2104e9794208a733669b91be27a6e94c719b4ac9
SHA256 e42c455eb26f77e3b39846cff214b17fe48abf04a4ca831be263fa11a8c63c02
SHA512 d4bff954b950df13d61afcd884fe8f48ae5890a3caacce3cdb8cd41be32e66d8ccb01133e58f6d4ce1de4c6734cafc6748bf44c55c36a6a2e33751b6198bce31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2c2ef17ecf928ad2b3c81000650d192
SHA1 bdb2803d23b478c9490d0217968aeff8896ef6f1
SHA256 bdcfaf0e19746102a73fbce6424520d08ef13ab63c30281ac827d0a211e5f73c
SHA512 a4ac3f1f5fe832edbed5100f9b3837b5234c33d32f4ab474e90f8d5090dfec4fd803ae12431693368ca3224bd9c436d1199cdcca81559eeb06e885992a734fc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87bb624c4bd7d67e6d7b8e4cf4d79855
SHA1 941ed1fbd55e6dd221d49eb29bca8a1bbb0e535f
SHA256 b2322672ccee48ec6d59b30614df97cd415f2dc04d1eb363291fdf6ac4143738
SHA512 98ee444f89a46eb5b05d20380d5edcd7d97f1a5214599547817bdd3807801a003b3d2537193d0615f4c226284b1cc52be17e936a859e97afa1e95078a68ef7e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8969efbdfb1d7f407425f48ae615e785
SHA1 cd1a98c0795f2f5c4a73a3e2d07b31a999037a1c
SHA256 7714b9c62141b501858bbf452c7a1c772f3cfd2a446574ed38d54b8680ca078c
SHA512 a43eea1fde21d65eac98ce3527dd544595565f82131e4c85df353f98edce53db24b2aa76554d7f74c73e0a77cccf682a16096fbfadd1082c1fbc23aa6eaf760e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 170f8c6d202bd8c99493c9a3923a28c1
SHA1 39938c7c8985f7e7a59d10605178c3f436e2571d
SHA256 7b0ab52508c0557024d280eafa4231623395b65c2611810ae65cdee047f0436d
SHA512 c91b548000a4a0e5927a1483bc8d1b12383f1a21b1541704c51e8d0984cb0ac440843c1e16cd657d17e320214c25de4396f00603dc5069edcefb452b35fb324a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9ff4040f7fd8abb900a4e748ecf3f02
SHA1 4be98aa9c2abceaa45f54c1912fd46f8cfe5f3c4
SHA256 35eac7e9af360788ac7382b1aad4de9602c42330bab529f48d24af1c2e842d58
SHA512 4df1bf4a297c8150b1334af4db37359b63a0fccafe3d9958f5943a2df045c66e9d5f36be01e4e59a3e296160b03f7228491f4b1412c78c83724798663e4d8e6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6a5e8874b441f25e678c4a3d6458297
SHA1 b86f6e2f6e458f5c8d406651c3c6aed2201f4041
SHA256 8d4e5fccd37c07ddda6d3c468c1342c65493c57a4a1da30b3496b9878ceea0f0
SHA512 ffa2aeeed7c452a441ccb99c6bdaa57301b9c26811677f2a1eab16eeec35ad91b55759d37794bbf0c16447d5d0cb1da2433cabaedf5fc03bef7d5bb5de574191

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2095f8a5c88d1cbc01f0fc024866121a
SHA1 6c62a6060f51d341d212a455f854d58414a6c60b
SHA256 8a717d770186ec33d7889f59c0bff2efd70be727be44a74fa989f896d8db6c24
SHA512 12cf96955a7105b0ae07cffb1ee3098ada85330660d4bd79858d75dcca67a812b99e40d913b52851a98a1082871de02a472ca86b0b0b4635f6e1ed8b664c3c30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 536c39b44001232c0506cd8ec8ae3843
SHA1 170adbfe752e7f190738567797b834b9aca9c646
SHA256 736be4c0dd0cf4f8579bd4fddaea09859cd5e0759fc961b5fe1e1ab27aec82a8
SHA512 7d43d68c26d8d25f35e8a9ccc1708e194dd8c5f31eb78b265c043c6703bcb4696d540f6c45ed48efaf7148f38bf8e9380520b2e5e4c162f1bdee346369c95965

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73a1c0ca1e1de22451fb1e31e59c6fc1
SHA1 0b07b55df78c05f8fd22d1f789395ec0650181be
SHA256 bbdb33237a4a52cc29baea9cc9e732f74b3f36d33f570787788d9927f2fb6a6c
SHA512 d0e0d3a20ab02a00245a2bdf6ed09c295afdf4df9eb30fb78d8499becf0e0ffedfcd4bca44955105113c9b71c78c83ef7aa5c69253e6161f4011f2d6cd48511b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9fe27095423bfc5e9acaaa2cf5d39be
SHA1 5bae9f828d5b453c73e6a72da4029a7728bbae51
SHA256 91fc2a8ce7af7bbc1ffef2f472443b5d617ebb8a96807a37f2d5dc7ed2dd2559
SHA512 28592fd5ef6ffb5d2b76d16f880a18efaa01f22edb77479bba015405e62bc4e0b4303c053ac5c4681a831ab12df59abad938e33d8234cfcd8cac0ecb9a01b0e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fc60e77be6e27c34338d65dbdee9157
SHA1 faab7c0aec4d412594d6f24ed72dc045f59fa170
SHA256 84558a092efb807f4cc846d53b139e7f163e3156a1db39481e5d708dcc509b8c
SHA512 10385f28898214dde4e3a80ef88505649fcf21e3fa078f449d82749eda8f97bdc98bb101ade7cdb60b1d80112d4484cf2e9e723b64fe74ebc670885a4fc8e896

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2edb8b33c508e0fc2d8e940c975bdec1
SHA1 31baa8d948ad3305a1f1d2d7142ebca44f19ae2e
SHA256 50e860775385d8fbae0b071dbe682b3eb80571986b4a4ce4f17eafc7b774682f
SHA512 5fd1c77538c2e8b716426a2f64f8c36383bbc337a6e28ab77e6f1278682b61a1788a5c2604b50a78f0f33930008272c5ef3b2bf2b184e39879fafff26fd4ec36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7042c7763581109bbc8ba84f336cc392
SHA1 067a2da098e966e27ebb6bd20225288e848ce323
SHA256 3a75afa7b75104d6589c948f872955e8328ff3dc01398564464e5dcc0a219c99
SHA512 29a974977782c22b78dad9632f7189af65ef84ea5704c33cda023947494bf3c2adf751ac66ab10709d0d5265debf74a1fdd5dbdbcd073d5e2382d5bb28183a6a

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win7-20240508-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Family.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4014933edec9da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000fd86911a83587b04b35243b2dc6f152ffc660ad46164dc1d949a459e14ccfb02000000000e80000000020000200000006e5acf9678eb9a3c79220a741ed4fa96dd8fabd780a266960cc3a65d8abaf4939000000066bca0241e04072c21f6a2142fecc720d5db39de9c73d3e60b56699dda156dfe0b66b09de9060d6fff8597cacf0f20e9c538fab7ea370981af2a068cafc9a0583a3463012bbe57e1758a1f7a6d27c2721074091e07760267b7a8b7abe730a71988353ab787c5aa3fc4433616ef66a3b72d9d10f39faa5940762eb6f5ea7503e53c64bf7a83f449a0be42381583382a204000000009488426dc6d6161449a81e5196977825961a98810f28cd33aacd5e99ab1a7d65701e54caa3dd235c9cdee035b99947f410b5b5e43dd232601d24e481366950c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A0AEA81-35D1-11EF-BA8B-4EB079F7C2BA} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000f9401eddd92f86fa0b61eade273ae79cb35e44ebe616faee71e6ac068d22d908000000000e80000000020000200000006bdbfa533fb3ed97605844dac9e80630da7465973c3d9ac56130e55e31f9c02220000000cecd06bd85dcd63d09d18c6db9db8275fa28caccbcbcd80cc5d0521a9e3ae92f40000000504704a249e8994691f6fd8961ade9df9d7601940adc6176c8b7d4f82ed9b494f4e842dde481b90b984df2664569e855dc0652f1d4c4558e7c216741de32be0b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425797768" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2240 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1456 wrote to memory of 2240 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1456 wrote to memory of 2240 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1456 wrote to memory of 2240 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2240 wrote to memory of 1828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2240 wrote to memory of 1828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2240 wrote to memory of 1828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2240 wrote to memory of 1828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1828 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1828 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1828 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1828 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Family.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4BFF.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4CD3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9a4bc2bde928d1a46de01717b26bd5f
SHA1 68cdb05df72bc024633722901106616562cf5410
SHA256 055f0fbc42ded285ef6c3541337f3d7ee8ff4bcd697d364e41fc1d0c0d038909
SHA512 be234059240ce2c19dfc9b58c878224dbac3ee2406f7c3250b3448a385cb6eac427bae9ff875d8626a9dae357d354049dd2da17e80ac97de09574d82e2e0b67c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94522c72dbcdd4af2b3bfc04cccf1787
SHA1 298464f285e2b875f89926be6017c29d55840304
SHA256 561a3a73724caa07703041ee8d0fb1e666d3b4a16a331870333151e8bcc75fae
SHA512 4f35cbd2dccb178f49c4c3e4f70aa1d1d41e1606dd8a9a2987ee64094134521172ff2b42c1f32fa5bcf3c719241d6299acbf6c065aeef229bc59398957f80739

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 194981ac85f86fd88bbab8903aa99aaf
SHA1 f4698fc527399a21b32c6b0c1c3c869e53f3be9f
SHA256 92b163fe3802d219af90353859e2b7d3ddd73fbcdae2754bd3412dc3ad8eaa3b
SHA512 e3e499edd4cba733266367fb56f3e62c1faaed67cf32ff02e673b219c284f5b1c55ee8c5ff3af8ab3c9a82f57dc47cba7555477cb6274978951f564dc4cb95f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e5d59a26901b29e0602307a1199091c
SHA1 b0d64888ed2fbb19a306eeb9ec6486c5f84b34b7
SHA256 72276bfd361b6ebccfd54c5d6e25c3ddee406f0ce1f37c383e76ad319777a02a
SHA512 3b1b2a0a045108aaad07db603ceb1ed854776a7deb61932355df0a39a6f67743ce2b760104d4aec2164d3c12231e7879c6976470597c6b0be3973bbcee4c5866

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6da1ff35668711cf0b2830a07600d2f
SHA1 dff7ea946a0371292ed78672064e6aeb6d9a1962
SHA256 e0543a2220b164e8d1e39201517d3a07c52b7c52f46e25801ef9b804674c157a
SHA512 f8e64cf65f27706a233e4c4541710e742f1cc9a9d213224fc4bb0097fafd8a47c592ae48bb5af2c2dbb3172e2464b00041edc88996707acc97dcedeb781398d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3a9dde537a0d838c2257829a0ef0f1b
SHA1 55afe90e59bc3cc9fd4c8cd5d6e4e45a2835ec96
SHA256 86f3e372a28daa27fa016ee386ea64d5e7f2967dd1a08bdb0cfc302315046682
SHA512 5b9a352fad904347c8b6277b2438e00ee02d8fe7da4c2200300bcc44dd88e15776bd2d53be4ab1d93bbb1d97aa6a68ec75a04babf692ae20f13e765fe344e8a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2067b8d3ccb0a9c9621c74a57e9177ff
SHA1 aa83ee3d65950778e4305fb6c6b04f4fa114d14a
SHA256 f073c975e831c0035a6502174700b9540a4fe788c9e46b3517f3074ad7b79af4
SHA512 25bcc7e8c418b3f5eb0a9e3d93633d1319ee19cd37a1332cbb4fc387186921a38efbeef89216d989e4b7ba8134fbfca6ce7db99fc82b60ba9c129d59ae09e8da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f40e60c25d29c07b2a934bc3efec2b0
SHA1 98ff5226ff8a150e80092ab73f7354cdeb7064e5
SHA256 fbb57877e13e891d2e2e1d3d05a9c08e294b1e1e006f689c609348fa5ba95d97
SHA512 4d41cc2c4e9e1cb2917699fd4960d081217ec554b38f654a3c2b83f568f7536efca64ff719f0ff18feeeb8b7b42435cbef23513786ea29887778c493226e3679

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0f2a7070aa84b5cbebd70a9bf310824
SHA1 47cebde5afd95b326b350e615e5c7ede2fa54830
SHA256 5b89bd8a71c6b84ae39f97d2394ef5506532878702c7d89d2f4ba4ee50c73d21
SHA512 0354884d641177def81b3f09739a29b45d975196ee43ca2ee36090346ef73ab949dac833e448ceb9f4c67d46a8539b3e047f7b982e43675a8ce035f8e8a81fa8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 213b7ee47dd47feb1f364657da9994bc
SHA1 9ffb56049f7654c7f4a022fa534d83d2b4bcef5e
SHA256 e1e2fea2b26450e9962007741c41e1fc9d3e5e0867ad30053541ef9bf333661b
SHA512 33b76ef5489f1f04a31f4db0b1133a9b307cb10c18132665fe926e6460dc06507ae22747f9507fbaa8bf33470db5be143541ddeb88f6503bf1317f26b892dd66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8eb6db5067ca2b9bce9f191104facc79
SHA1 4ebce71b435bd69637bc727005d1bbbeb172e428
SHA256 07a4d3142b99269dead8d020734699767831339eb9f121f1808192a266ae5744
SHA512 389d4e3e423eeeb0f6cb29373bc4c2ba1377a486be9d97c25ae1a12540fe0455fdd8c748025cf54f21e196302cbe98bea3088190fd3ce9b362efb2dea0316537

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be3127e3822afb4d1f915fd4cb23cdd7
SHA1 76cb588d414c2ca1d461a66c05623713a9f64213
SHA256 56aaf16fe07595aba44ef0de0f9415041de99e95b327c8ab039766b563c719eb
SHA512 7135442f3ef0b7445d7f76c97794082b486fe265102f9d63ddfe4873586453eeb55b8ab13cb123526ac7bc07c6c7e3e9beb92bc1216043dd3d2d7c4687f843cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 553ca06043671fe8e42554759bca4b5e
SHA1 ff9455231ed7c5c63f100a64c68f0ce5f752df5e
SHA256 21135f9ae57422c17ca6ff02391777b91685fe6a4146281a69c9d6b9935b7e55
SHA512 df4fb33f615670322887323fdbc319bcb0ff66eb99fc414638a1ebeb2c38725dd76e6ed94c956ac9846ea76a6a0d80f1d2daa5b5610cd4fee1c138230d0173f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c3d529edb9f1d89e925a367b08a103e
SHA1 a70e8681f24e84b91b8febb0576c0bf306362b4b
SHA256 83e1c33a02accb5e4e4b02e0b7a0a3c33a99aa76fae6e0bc5dd0484ebf427937
SHA512 ab49aaa9ff768e7729fe81aeb0657c3e86130d578c3ae7875e99c3b495208369d2a34976fcbfb3abb396b2b2fb9587f1fca6355beeeb6d7f424c1ca35208cbc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f15f426944d275cc304b3dc8266d8c6
SHA1 77a45f7be187c9abfef07e49134ee92e72c8ffe8
SHA256 41089795839b21df87e2234a013eb8c99a27d624fc5e6c86af6bcaeb64c7a163
SHA512 5b1b95cff3fa44d4445ff79eda3039a41fa8b646606917f5bc71539fb238643c9f234407ccc76216368f91378d46fa2f435b65706bac61abc789a8e87e2c77a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5b445634e3e0a579fd89f46fdd9aed2
SHA1 acdcee0ec4905f70b99be67f38ab3f3fc749d9eb
SHA256 1b85a82ce46fc093b9b2f512a70b51d88d9dd04435ff71eb15b7ebfb1000e7db
SHA512 a8e504e182107350259ae848576edc8726ed3397c72717c430048f7101dd987365423dfbae43c15245ce43a052c8c7a01d4d24a8ed0660c30bc5b79edcd06fa3

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240508-en

Max time kernel

123s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thought_Family_Beast.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thought_Family_Beast.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp

Files

memory/2692-0-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/2692-1-0x00007FFC162CD000-0x00007FFC162CE000-memory.dmp

memory/2692-2-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/2692-3-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/2692-4-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bestiality.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThoughtDefs\Thoughts_Bestiality.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/632-0-0x00007FFCF6470000-0x00007FFCF6480000-memory.dmp

memory/632-1-0x00007FFD3648D000-0x00007FFD3648E000-memory.dmp

memory/632-2-0x00007FFD363F0000-0x00007FFD365E5000-memory.dmp

memory/632-3-0x00007FFD363F0000-0x00007FFD365E5000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Bondage.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Bondage.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3316-0-0x00007FFD34D30000-0x00007FFD34D40000-memory.dmp

memory/3316-1-0x00007FFD74D4D000-0x00007FFD74D4E000-memory.dmp

memory/3316-2-0x00007FFD74CB0000-0x00007FFD74EA5000-memory.dmp

memory/3316-3-0x00007FFD74CB0000-0x00007FFD74EA5000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-29 04:37

Reported

2024-06-29 04:40

Platform

win10v2004-20240508-en

Max time kernel

86s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Resource_AnimalProduct_Eggs.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rjw-master\1.4\Defs\ThingDefs\Items_Resource_AnimalProduct_Eggs.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4060-0-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

memory/4060-1-0x00007FFE4F64D000-0x00007FFE4F64E000-memory.dmp

memory/4060-2-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

memory/4060-3-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp