Malware Analysis Report

2024-10-23 22:14

Sample ID 240718-qkalsszepp
Target Soboce.zip
SHA256 a2cf16e6c90e082fc5d52f5693d8d433200a10425680ced2f3b1264a2a1d23c3
Tags
formbook pz12 execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2cf16e6c90e082fc5d52f5693d8d433200a10425680ced2f3b1264a2a1d23c3

Threat Level: Known bad

The file Soboce.zip was found to be: Known bad.

Malicious Activity Summary

formbook pz12 execution rat spyware stealer trojan

Formbook

Formbook payload

Command and Scripting Interpreter: PowerShell

Deletes itself

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

NTFS ADS

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 13:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4548 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd23bf46f8,0x7ffd23bf4708,0x7ffd23bf4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10359067687372337344,1544378555322798913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3112 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7f37f119665df6beaa925337bbff0e84
SHA1 c2601d11f8aa77e12ab3508479cbf20c27cbd865
SHA256 1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027
SHA512 8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

\??\pipe\LOCAL\crashpad_4548_KWHWIWKWEZNBMQTY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d406f3135e11b0a0829109c1090a41dc
SHA1 810f00e803c17274f9af074fc6c47849ad6e873e
SHA256 91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4
SHA512 2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 87c0a26d934cba0102ad9455a3eecafe
SHA1 ff07ccf82400e5ea3e73f3ff8cb69d84dc377947
SHA256 631d6c0ab647d76b2b85d538123b09b27ae2037a6701d58679c5d4977ab138ea
SHA512 55909ad62ffeaec6952f4bd364bf7092a7ebabfccabad46a584e778e3d8f1a69245ea2799858909db8e9679baf9d8bb67ec1f70ad302316501f1b8fa94aa8a1d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fa43268808e49c2605161717f6bf465c
SHA1 4ec622f5aa0e935dcbde9c098cf3f817575d73e1
SHA256 244f70ed4ef545cfd8950649c0b1417b60b3297d33300ef92906bae46356a054
SHA512 d0a27675e13d902e82d116ace27a000ec72135db8fefe762987c129f86f525188b2d6f1b75107738f8f1b948ffb0a2e9ce82b7e4b7b4f7849b420e4d0adcff1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 26e6df48b5c9ddd01d7dc30b82ca636c
SHA1 3e6146448d1bed2668527cbc47ee9a17abbf9a93
SHA256 4d37105b72630a2aa5459a9203e4952524159ab626523f5c5b5cbabd99ab74a2
SHA512 fef2a365d5db27de611d1f22eb285816fd0f6b99bee10def6b3a52884e07f51a29cd22486f42a77635344e6fb8d88033e95831af0ca02268b6fc65669033080e

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240704-en

Max time kernel

118s

Max time network

120s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

140s

Max time network

125s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\image001.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\image001.png

Network

N/A

Files

memory/2520-0-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2520-1-0x0000000000210000-0x0000000000211000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

140s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\image001.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\image001.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240705-en

Max time kernel

150s

Max time network

125s

Command Line

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\e6b82e1c-ac44-4023-8042-08dca5e19c90\4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc007.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ = "_ContactItem" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ = "Conflicts" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ = "_TableView" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\ = "_RemoteItem" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ = "InspectorsEvents" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001:Zone.Identifier C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF (2).001\:Zone.Identifier:$DATA C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2348 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2348 wrote to memory of 292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2348 wrote to memory of 292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2348 wrote to memory of 292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2064 wrote to memory of 884 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2064 wrote to memory of 884 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2064 wrote to memory of 884 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2064 wrote to memory of 884 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\e6b82e1c-ac44-4023-8042-08dca5e19c90\4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.001

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.messenger.msn.com udp
US 64.4.26.155:80 config.messenger.msn.com tcp

Files

memory/2064-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2064-1-0x000000007409D000-0x00000000740A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 49bc31f757825ae32e6b41d3f489ccf3
SHA1 9529cced2fa99715025dc5f3bd361a3e98f48f5a
SHA256 111a1d7c60462e94fb25d31348810a6526a3b1c5944643144a59a5eecf44dd38
SHA512 cdf80ff6fd3891c2aafa1040a4bbbf06004224c08994b728809b7636939085011e21db73861501216df737cec5980cb2be8f250185a3385df8117e94fd895c4e

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001

MD5 325b88a0301801c9e04590d2514f6a8e
SHA1 79203bbe463d36eb199c2b97732ba638b5764780
SHA256 81f6ee45019c48d23ac3265a1ba120d0b34a74e7a51ae3d1c5cecea4db88fe8b
SHA512 32163a4ff580ee3ed1f43ba1990e8688cedd5b44c93ca7de138d6fe69eaaacd6712a3c19c260f692ab964db7677f5d8d79c5171785a4fbd7d15e8d6621b69621

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 db5cf5a97cae67290159ede83c406696
SHA1 a569eda52b60d833bcc07c7d1b8712f2c64bde21
SHA256 feeac753e30e3adabee64fd0cdc60a6f360615ba4d704ad82169278ce6fa7362
SHA512 c4245ffdb94f438aba6ae8c80046b454e3e0250f310ddf681191ef1a270c6fabf84eb58925d9c8fde8396231a0d2ccc5822363dc1e78ef1ea62714b721cc2631

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2857d0a28331b14efe9f488bef8e2719
SHA1 6b0188421f2a3cc135dea90a9ac500bab1ea8195
SHA256 6ffbc6db9e7f2e69645dcff186e70951310e8a5d7feaeb1010c93f5f5335a081
SHA512 ad9aa8569d4eb35a0014f6b8af128e7363bd083d967da01eab6de07cabd4df06ad1de1f4ca32272ae5b3aec9d741a775bfee4eeaef7d1b9c6bcf1a7f8d80697d

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5a5b41d6ae5188f46391120f506ceb8e
SHA1 80fa785250f0d8691dc6d43bfb2822382da3335d
SHA256 36c5e6557b2c4ff138d66da3a883bc192a1c4716faf87dc1c8c9329995c0a127
SHA512 c15a7a2f517632b4e95fe8b07fa041b572c34be640a384df7f2cf55f419022d7e26ef9336f56cd5af3d89934745da37264137c4bdf0e821651de25d2831c4318

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Soboce.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Soboce.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240704-en

Max time kernel

147s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 2932 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 1196 wrote to memory of 2904 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1196 wrote to memory of 2904 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1196 wrote to memory of 2904 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1196 wrote to memory of 2904 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 2904 wrote to memory of 2632 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2632 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2632 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2632 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

Network

N/A

Files

memory/2932-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/2932-1-0x00000000002C0000-0x0000000000396000-memory.dmp

memory/2932-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/2932-3-0x00000000003F0000-0x000000000040A000-memory.dmp

memory/2932-4-0x00000000003A0000-0x00000000003AE000-memory.dmp

memory/2932-5-0x0000000004EC0000-0x0000000004F36000-memory.dmp

memory/2348-12-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2348-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2348-8-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2348-6-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2348-14-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

memory/2932-13-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/2348-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2904-19-0x00000000005D0000-0x00000000006C4000-memory.dmp

memory/2904-20-0x00000000000D0000-0x00000000000FF000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240708-en

Max time kernel

143s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar"

Network

N/A

Files

memory/2608-29-0x000000013F6A0000-0x000000013F798000-memory.dmp

memory/2608-30-0x000007FEFA890000-0x000007FEFA8C4000-memory.dmp

memory/2608-32-0x000007FEF70E0000-0x000007FEF70F8000-memory.dmp

memory/2608-38-0x000007FEF6560000-0x000007FEF6571000-memory.dmp

memory/2608-37-0x000007FEF6580000-0x000007FEF659D000-memory.dmp

memory/2608-36-0x000007FEF65A0000-0x000007FEF65B1000-memory.dmp

memory/2608-35-0x000007FEF65C0000-0x000007FEF65D7000-memory.dmp

memory/2608-34-0x000007FEF6B30000-0x000007FEF6B41000-memory.dmp

memory/2608-33-0x000007FEF6B70000-0x000007FEF6B87000-memory.dmp

memory/2608-31-0x000007FEF5A00000-0x000007FEF5CB6000-memory.dmp

memory/2608-40-0x000007FEF57F0000-0x000007FEF59FB000-memory.dmp

memory/2608-60-0x000007FEF5450000-0x000007FEF5462000-memory.dmp

memory/2608-59-0x000007FEF5470000-0x000007FEF5481000-memory.dmp

memory/2608-58-0x000007FEF5490000-0x000007FEF54B3000-memory.dmp

memory/2608-57-0x000007FEF54C0000-0x000007FEF54D8000-memory.dmp

memory/2608-56-0x000007FEF54E0000-0x000007FEF5504000-memory.dmp

memory/2608-55-0x000007FEF5510000-0x000007FEF5538000-memory.dmp

memory/2608-54-0x000007FEF5540000-0x000007FEF5597000-memory.dmp

memory/2608-53-0x000007FEF55A0000-0x000007FEF55B1000-memory.dmp

memory/2608-52-0x000007FEF55C0000-0x000007FEF563C000-memory.dmp

memory/2608-51-0x000007FEF5640000-0x000007FEF56A7000-memory.dmp

memory/2608-50-0x000007FEF56B0000-0x000007FEF56E0000-memory.dmp

memory/2608-49-0x000007FEF56E0000-0x000007FEF56F8000-memory.dmp

memory/2608-48-0x000007FEF5700000-0x000007FEF5711000-memory.dmp

memory/2608-47-0x000007FEF5720000-0x000007FEF573B000-memory.dmp

memory/2608-46-0x000007FEF5740000-0x000007FEF5751000-memory.dmp

memory/2608-45-0x000007FEF5760000-0x000007FEF5771000-memory.dmp

memory/2608-44-0x000007FEF5780000-0x000007FEF5791000-memory.dmp

memory/2608-43-0x000007FEF60A0000-0x000007FEF60B8000-memory.dmp

memory/2608-42-0x000007FEF6100000-0x000007FEF6121000-memory.dmp

memory/2608-41-0x000007FEF57A0000-0x000007FEF57E1000-memory.dmp

memory/2608-39-0x000007FEF4170000-0x000007FEF5220000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240704-en

Max time kernel

117s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-2.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000fc05eb6d880aa02438e9ffda473ced3baf95a2a0b7c1763d78399fc68b3907d7000000000e8000000002000020000000b38efd30993a16a1c05b07b4fead7f21d342fcd19aaecf32fd0915c1d2e1caac200000007464afddf596dca1fa305ad126d8bb629e63d5f3fd4210a5763e524833e10638400000006903b73678e564195a19e8771c5baf58fdf47dac0fd36fc7a8e5f49d9ac5cbe1310e2c40dedc067cc86d9afbeb9e6316e61c5bd2be4c0a03bfe66a1ea15a155a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000006844456c745b23644264a6aee36db628d8e74c98058877df872ead7aefd5c926000000000e800000000200002000000068bf8475838d31970590fe4ca86aabe25cc0686eff62c9582c452197b1c4afe89000000051a697486d8781d91c88f775a3e085033cff22db2ee8def009a3a57edb30dece6e30aba5765158095502cf794cf1f69d87b1b94546544ad74b2fa3581de5ac0e2341113d228d65afd382a31477312734bdae9655539aed6908f8b3336316c49874ade12c548eb79cb32a8684dc69c6859a1137d175b82c5caecc96c1326f4ed3693fe9488b408f4377ae2f5ac4fd603e4000000099e3007d93f89b88c08a58f16dec055f72e168512b276e663fbb5507ad12240457ee7e4b8093cd002b6eca6251911de3e836dbed02650663dc0db1fda9a1f7d8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427470619" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01af62415d9da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50704A71-4508-11EF-93F3-6E739D7B0BBB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-2.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF143.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF203.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec661546a9589f91461181599d3aeefc
SHA1 f4d9cdcf54b36d17c8ca7f792c79dbeaa3a201c4
SHA256 94184101bf98cf7b795cc00da656de6738ec372b47915b6160d36746983fe9ea
SHA512 821c9c7343a5aeccc198a12e6c82b73fd750e69e69c2f2a90adb02ad867ca10174474f21546d2d216085304913e9e836fca7db6ffa97a6a2a0db16c3605b0c78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d3f5014d7071def3b2ea4e286f597a8
SHA1 b5f5655466568ac04ee47c94e2b0e641d78b9c29
SHA256 f7a5152d47e913906eaee06871503ca5c1b4e8b3ed7be94c9376054543fd6b68
SHA512 964b7503d12936d235d493bd66a6a6311324dde1faab3b4421c6c667365d02e9d21dc6787bb2d378ec96ed68d4aabdfec845c107c86d1e57311374ac7b656e81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bd4abf4e753a9752bec4b92ac490fb9
SHA1 221fd6fe51bcfc8d7d3f6a03ee70544039fdc92b
SHA256 0e2ffffea389dd6e427d54f84529d39ae8c3ae19df910350102414bbe3481bee
SHA512 16cd55a485a1383c46bde57d2b825e3be0752214a3ad5bd3e35d3fa669583c117404cedc330f8883d87567e61b99604acbbb988ea7bb29ae04e4a4e84a2e6dc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00d14651b0b2e9025762fb3e66f0fc3d
SHA1 3d5c703435d0dd52fd1956b4e443e06d4c40cb17
SHA256 fddec7856aec93702eb55712a26d28578e404a265b489c2a681812b16569a2ff
SHA512 c9bbb3593a7a7e15ba6e5dca3e26a80a157602007004bcd1de8e0862a6463a37b3f4b85908fcaa0a54d92c71f9b923e0968dabc63d6846323bc55cc6dbde232f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faa84b95729f86480656080e803e29f8
SHA1 26cb4545e87b43b388a32a0d4e9a9a339a03cdcf
SHA256 f5d65ff10014a605c5ec071565076c22ecc2f4ef0bdc2c641461fb5fdfdd5263
SHA512 b79b6298e9adc8f6490406fa0760b507e38d8f5d19de30a693368d84ca5df3953b6055c63524f33d60ebd1ba7f574da9997b691fbffe60198f2a0ba39ee75b6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b24c299ff1445d6218a5095bb1b1f7e0
SHA1 2c9ebb63194879dd093113b3b322b38fe0332c55
SHA256 0854dc2627a9e208f1f6a7782c0cf7f37d99fe0fe524d82d6fb068e535adf560
SHA512 fc0cc382ee831ea425c5969f0eafc1c3e7ab580d77876262642ee470c46771d2999d00d36e1b76ab374430355eb63d687c0c00bc20b6e7c6d562b2d14e14edf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84aee513709b8f82658ff3ea2c034b80
SHA1 71d6b64f70b879772882816ab7808e2f6f50cf5e
SHA256 d7808d0994d0b6caa5fff0bca32ca7168376e54391594bcc55f4e5ca5ef255a3
SHA512 0bb928c242939626af782e226094f21b5b5f0cb789609323eb4c082167e2251c215ce24249a2a616172b75df69afb319b5bd83dabc9aef3e7cdb0b90c1457d40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b48ea1302b32bd68efc4da1957b3b52a
SHA1 c921198949b6db92b399adddac95a43954e06290
SHA256 cfe3efd03c19a5060fc0d06e5af91075dda00b383e6102d16cf7424b1c9b4448
SHA512 43426fc6ce4d497c970f7bd10fd13c60380e495dabd3abe1a6bfe8d609710318111a5624332f0483e5fa1022edae86f454c138357b5e95207c9f65d9399f3f49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b195eb480dba7431cd226c2d49de123d
SHA1 d410c06a5dbdf24013629c131d9d49b5c7a6c670
SHA256 afbd7d42a15a820d139a25146f4d8459ac58cd61e6e8371722e92a63cc6d3965
SHA512 094a88040bb9f777153f7eb01e8927a7e8b844cf2301f42776d9b3d10316ea939b1cad6ff676c71d81fc9c52d31c2b2f87d3e8d1298c393b3c75b256e112f055

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b7458d03497b40f3b274e1717ce11b5
SHA1 e8f8e08b8261697af1c31187607367e215f9382c
SHA256 b1be2ecaeb98ac024a1315cc51e5022d40a2629b85a4d5d741dd1d9b132d3fac
SHA512 22ffbbb136fda51d4148bd3226103865efa362c52004a4ef351a80497f9f32006bdad0a8ada467722b3587137899ea6424789b28dfd6b7ef79934c5a9955703d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfa60555600e74270479dea68a4b0b40
SHA1 9fb9f558640760ebce09666589c6c9ca592e4461
SHA256 4575308661ccd06018893489bde37ae751a4a27fd15a5b26a4992e9dfaf2569c
SHA512 c12d30288cc4f526dc363fb55be9a94adbf36886bfcfe718f59083601b89f3563b137c42ead76a7d8c70cccd8935a00548007465df258826dfc979de3c1fa1a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c3d09a880ade1a1ed21851185fb6006
SHA1 b55ab7724166a1454b781bc89882c7ca1bbb63ce
SHA256 d82baec370e2316559ce32782b1bbfc45d5463fa095a07a7376b5b8ae43d01c3
SHA512 cf3c51ea61f375281886f4a4caa77ced160999792ed0172306bc598bfe13273dd512bfe27ca2e4b804bbbb63b9bbe04c3d01f0400fc0b1e0ba3040c772b37240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b57261763a9336ff116acded03434f0
SHA1 482d55f618dd6e8c51fdb442b6aa0966c07d94e1
SHA256 6122315e3f9184c494629ff23017998a96c7dc88928e069a9496ce89760de846
SHA512 951bbaeb418888ec18c33f09515dc780357a352843828fb730b56bea203328e46a841d2335ced40ff47ea1f906d15c228bec4ecf2d01127cc50858620cbc33cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e451fcb0f0ace0bb30feefbf68070e9
SHA1 65e04a9284ab426699c0543f88372acd0163965b
SHA256 2cdb28d72ceb39ac6635331f593b3288080f7073342d59b2e31022953aa4abf5
SHA512 3f83b9b7a43c261b4ee12589357030f27a0a113dc400ef9d10124523cccb76f291f6558bbd0e5944b2635a627fedd0ee54b586579fea2d7afdbc3ff6a6a334a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2837345fc53d04d2a75109910fdd2f81
SHA1 566ab9ce3ef897b7477a9767a201d5a68b912822
SHA256 8bfa2dc324d2dc1d143c73c1d17b41f44452bcd3f9143568fb758b2842b19ad7
SHA512 45fe93072431571873d83c79c186d26b22f9452696c7fe2d124cf883bc7e42f53045defb133e5922b21030f3ae63eae5cc36a30665b80090596d20dbc59e691f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c06e816a7d9e4524c9a398cc3cd5aee1
SHA1 aed195a8f96a8ef35c6a6554daa2166d24163dbe
SHA256 1b246d147efc3b2703e22f6b747e2f6488b103effd657eae0d461b351864b4ed
SHA512 b56310508e04993ed66f6096c3230751bc0ecb6f9747c7e056bafb68dfabf130e12af47f10b14501c291cef72a67b9a1f108e99dfb876cd619132a34807506e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad4faaefd82ac934de4c5b655e29bcc2
SHA1 64e1c16a2ab0c3904242008425c1a057619b8516
SHA256 efc086b18a95d6211a85dd1d7b0c675bffca946e9ecc41eb238ed6dddc8487d8
SHA512 afb4b255d5a6bf897fbc8d89a28a4b69e8861fa67f89d6af0d2ee0d106b7af6d99aa4b42175ac430d4de0c67a0e076a58c94721ca876ee8dd4326d3722bcc1c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdd779dcb30297325b3b18aa2392095d
SHA1 89001548887221da6410d17c6f0bab485b9d5bcf
SHA256 42f8e3f2ac9a998fde8c40f4391f792a49df9bff065b0c67274ada8ab6b5a364
SHA512 de7a99088bfc0647205a7015ac19be28ef124fa198348e9b28c95cc3af1890539ca58dfe32b7859908b0b81b436a7f0f76516fb85046edf845195c7aa589f333

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Soboce.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Soboce.zip

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

107s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\e6b82e1c-ac44-4023-8042-08dca5e19c90\4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\e6b82e1c-ac44-4023-8042-08dca5e19c90\4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml:OECustomProperty C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e6b82e1c-ac44-4023-8042-08dca5e19c90\4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

156s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-18 13:18

Reported

2024-07-18 13:21

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1128 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1128 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1128 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 1128 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 1128 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 1128 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 1128 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 1128 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe
PID 3492 wrote to memory of 1620 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 3492 wrote to memory of 1620 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 3492 wrote to memory of 1620 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1620 wrote to memory of 3504 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3504 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3504 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\Formulario de solicitud de pedido Soboce S A No 17850 16 07 2024_PDF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.huesch.net udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 www.onesource.live udp
DE 3.64.163.50:80 www.onesource.live tcp
US 8.8.8.8:53 50.163.64.3.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.qqfoodsolutions.com udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 www.sekanse.com udp
US 103.224.212.215:80 www.sekanse.com tcp
US 8.8.8.8:53 215.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 www.fidgetbottles.com udp
US 3.33.130.190:80 www.fidgetbottles.com tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp

Files

memory/1128-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

memory/1128-1-0x0000000000480000-0x0000000000556000-memory.dmp

memory/1128-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

memory/1128-3-0x0000000004F90000-0x0000000005022000-memory.dmp

memory/1128-5-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1128-4-0x0000000004F50000-0x0000000004F5A000-memory.dmp

memory/1128-6-0x00000000051D0000-0x00000000051EA000-memory.dmp

memory/1128-7-0x00000000053A0000-0x00000000053AE000-memory.dmp

memory/1128-8-0x00000000061F0000-0x0000000006266000-memory.dmp

memory/1128-9-0x0000000008920000-0x00000000089BC000-memory.dmp

memory/1972-10-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1128-12-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1972-13-0x0000000001150000-0x000000000149A000-memory.dmp

memory/3568-14-0x0000000002190000-0x00000000021C6000-memory.dmp

memory/3568-15-0x000000007467E000-0x000000007467F000-memory.dmp

memory/3568-22-0x00000000022A0000-0x00000000022B0000-memory.dmp

memory/3492-21-0x0000000008710000-0x000000000889E000-memory.dmp

memory/1972-20-0x0000000001040000-0x0000000001054000-memory.dmp

memory/1972-19-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3568-24-0x0000000004B40000-0x0000000004BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmqjt1dc.yoo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3568-25-0x0000000004BB0000-0x0000000004C16000-memory.dmp

memory/3568-23-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

memory/3568-18-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3568-17-0x0000000004C30000-0x0000000005258000-memory.dmp

memory/3568-35-0x0000000005420000-0x0000000005774000-memory.dmp

memory/3568-36-0x0000000005A70000-0x0000000005A8E000-memory.dmp

memory/3568-37-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

memory/3568-38-0x000000007F1E0000-0x000000007F1F0000-memory.dmp

memory/3568-39-0x0000000006020000-0x0000000006052000-memory.dmp

memory/3568-40-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/3568-52-0x00000000022A0000-0x00000000022B0000-memory.dmp

memory/3568-51-0x00000000022A0000-0x00000000022B0000-memory.dmp

memory/3568-50-0x0000000006060000-0x000000000607E000-memory.dmp

memory/3568-53-0x0000000006CA0000-0x0000000006D43000-memory.dmp

memory/3568-54-0x00000000073E0000-0x0000000007A5A000-memory.dmp

memory/3568-55-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

memory/1620-56-0x0000000000260000-0x0000000000272000-memory.dmp

memory/3568-57-0x0000000006E10000-0x0000000006E1A000-memory.dmp

memory/1620-61-0x0000000000260000-0x0000000000272000-memory.dmp

memory/1620-59-0x0000000000260000-0x0000000000272000-memory.dmp

memory/3568-62-0x0000000007020000-0x00000000070B6000-memory.dmp

memory/3568-63-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

memory/3568-64-0x0000000006FD0000-0x0000000006FDE000-memory.dmp

memory/3568-65-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

memory/3568-66-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/3568-67-0x00000000070C0000-0x00000000070C8000-memory.dmp

memory/3568-70-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1620-71-0x00000000012B0000-0x00000000012DF000-memory.dmp

memory/3492-73-0x0000000008710000-0x000000000889E000-memory.dmp

memory/3492-75-0x0000000008260000-0x0000000008330000-memory.dmp