Analysis Overview
SHA256
575705c528670f20553d58f176ac0b78db137d53b779628c350113128213dbc1
Threat Level: Known bad
The file Executor.rar was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
CryptOne packer
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 02:48
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 02:48
Reported
2024-07-24 02:53
Platform
win11-20240709-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2748 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Evaluating Evaluating.cmd & Evaluating.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 487900
C:\Windows\SysWOW64\findstr.exe
findstr /V "discussingexaminationflipaustin" Imported
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Js + Foot + Soc + Paradise + Employers + Washington 487900\h
C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif
487900\Farmer.pif 487900\h
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| CH | 185.196.9.6:43164 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Evaluating
| MD5 | d1e3442a9836366b4f1dd6a77d0d7d01 |
| SHA1 | 927e318cd2d986090fcd1d8bb16de6be7b41aee6 |
| SHA256 | a48ca469a26cc4439cdacae6bd253a3df7609b729b779b80a06f0b3c15ac1101 |
| SHA512 | f267920a84147f13bb12da47e9e6e04aee18b2bf7fb2d2e3decae1c4f860d15d1c7201c321b8e0a761d5b903e0f8982b6c6c102caa54f24b46e5c74daf77d010 |
C:\Users\Admin\AppData\Local\Temp\Imported
| MD5 | a36aeb18de6b30a3a834416db7a9c027 |
| SHA1 | e3a71b4d28707fbdbb280e033aef29c83b8fb243 |
| SHA256 | e0cf5832b40e6fc76fa36f2a160dd1a704063f76ff1ec09cd83a8d6f723872da |
| SHA512 | e8deb5c8050d0674238814af9e66dd8cb5e4fe8384aff689fc4b70a2aad97bb147ba36bdde9a515323dbdedb17fb8135133603e15234610a5a07192056ee2d07 |
C:\Users\Admin\AppData\Local\Temp\Recommendations
| MD5 | 61a35ac7c1a965787efdef04fd38561d |
| SHA1 | fae2d051585b526065cb1200449c1a47ed28cd1b |
| SHA256 | 802fcd9d2b80b0ffe9add6288e0340e00d5632c02a0573426229e7d455fc5177 |
| SHA512 | e1de88a31580681f85bf7ee47f8957db09d4d4ff17465880bb65fa5fb19a688d9867210f6590c51975b5b5ddc125b2a12864549e41d15bf9e4c17a06531d3ef0 |
C:\Users\Admin\AppData\Local\Temp\Bit
| MD5 | be525bd3d1248e2c79861bd00f603925 |
| SHA1 | ef2fe1e8931aeb22a3bba6abd77f89a4ed66e77e |
| SHA256 | 41c7d076aa4e6f67171abe38fdfef927ba46a5518f283d5c795a62fb9c31b0af |
| SHA512 | 1fd36900e52ba8dc186c1df3c1408af493be5f1057a4caa5e7814f7c1404ef885967feeb706739c9ff3b6540ef2000c40fced3b31ebe222c8749389689f7dbae |
C:\Users\Admin\AppData\Local\Temp\Caroline
| MD5 | e9e05ed84183a2a9e87768828b7ad824 |
| SHA1 | a8b9b26f901f2159f0b2c2450357d2e66570efb6 |
| SHA256 | 8cb165a075a45a05cdd9d4963f4a10bf2337e48e720411eb135483952b0d14ca |
| SHA512 | 899c801947fab2d4a26c914281cca618849283dd3ed78af717ef4b5ffae4067746eb46873b8403e2408b0c9d6d45efb15697365854732ae7dc2f668e1b2d936d |
C:\Users\Admin\AppData\Local\Temp\Indicator
| MD5 | 154aec7ec759c5ea16fd12a1e6f8f96d |
| SHA1 | 25db1888d50adfdb9dfa40dadaaed213a6c49d9d |
| SHA256 | 87edadb4ab8bc98a6ad1640cc179a297a6f026fbc6f73a8bbc4182362a27b932 |
| SHA512 | 3407dc4f7a056398159719a3d610fa1431a6b43747c75fe2ec9751f64ac53ff3829c45c81797a547a753ae99b84e7dca658d47ef2925a8cd7224dff9e08117fe |
C:\Users\Admin\AppData\Local\Temp\Defined
| MD5 | b80de1c01a032d5eaffc0a9697751f46 |
| SHA1 | 1d12cfccf36b05e40085fc0614f5db305bdc73ce |
| SHA256 | 690d3aae936bce6cbcfac12f9f4b02c500841f5164d62e9564c08fdc84b227d6 |
| SHA512 | 9af50d02a25d05d9baa16caa8d8eda1a99fcd7cad08017662ba79dd75ba9a64342ab2e18890c023c6292a327e6969f390bf06918991a0ddb6c83e75ea35fb316 |
C:\Users\Admin\AppData\Local\Temp\Bullet
| MD5 | e60b36e796f96acdfd7f7d219abc24e5 |
| SHA1 | 99c0599b6a262486560678b6cfa9681751610299 |
| SHA256 | af258cc2a98b9ee2de3d8eadd37e0d46a4377ed6c621907b7351ddd419ac52dd |
| SHA512 | a957abef76c7dfc3846739cfbfeb1142426e294c6d1b0c84fc68646e7689d24da2e34cdea2ef83cd9c6b103f94a23f248e4bc565b4a9b3e5bef809312a69542f |
C:\Users\Admin\AppData\Local\Temp\Dealer
| MD5 | 7eb0f3f517d9599ec2b05fefa3e80639 |
| SHA1 | 0b0cd46f01321bcf021666133548568a615d6e78 |
| SHA256 | 20bb93c06302cfb6b53421ed0c97e7a669ca9ba94f437a5a4249f668d8dbf009 |
| SHA512 | 2a15cdfcd0a142b33613c30406746f9e23a7ec29929e7b02771018b7ae5ef0a734113a62622230bdbcc278ef2d987ea225881adb7e2afbe61dc3fbb8ab41ce7a |
C:\Users\Admin\AppData\Local\Temp\Applied
| MD5 | 83df4f8bd0635083123563713a33bcb9 |
| SHA1 | 77bc47050fd8a4d5ba231c66e22738faffd1f724 |
| SHA256 | 1c8d5895a671f0099f651875b4ac2d341668a2d1730849a8e18c6e862d788cf2 |
| SHA512 | 07e387e685fa5ec081a6628baff533b3c8a654a4c9d2b6e407ae37e1e46db9e91815b65e76edee78227ed81ec96ee645a9d4feff70904478b88a7c3f5e3fc104 |
C:\Users\Admin\AppData\Local\Temp\Balloon
| MD5 | 29ffef867beec3a1e9c4e82c52f87786 |
| SHA1 | 7ccc503bc68dd94afd8ce5d0f911cff9fd399d19 |
| SHA256 | 6d49de580fa9b7f932377f13a9480162a9289033ff0b8b57a65f53dccc7b82e3 |
| SHA512 | fcb7c579999bd1bc0c361a0bba0f4bb847b89d25c592eb10298eb7cb17f023c2ce21832b164ddb626278ec54123893d51ea0552d19f84d57a7efb89f43553610 |
C:\Users\Admin\AppData\Local\Temp\Patio
| MD5 | 0a6da5fadd18b0496f1395ef3a27f4cb |
| SHA1 | a362e37c651726437c2d47d43e40d0427d682ac0 |
| SHA256 | 6572bfc1cf1ef8821e337b495318e01155f707290f2189495655c0794322443b |
| SHA512 | 46144c81d2f82310d31d46250fef7a7a9d2eb5796b2458bacd12f043ea0de19b3f11d9a6066cbf0542d87747423b8125d419fea1d376ca0b5c2f20764f1ca39d |
C:\Users\Admin\AppData\Local\Temp\Leaf
| MD5 | ce269f1dac18a627fd9ccfefe5cccaef |
| SHA1 | fb048109bbbec9b8088bde438eea31efaa4bde75 |
| SHA256 | c8dfd99c4184246654663c7735f3c947f9ac71fc0b7adc68edd26db2f8c3f74d |
| SHA512 | 5e86d106f58d06241304b363b112257285862966fdd06eaa34384edf8d07b50ab5ef06509ac5bc73dae1d4f3c0e9c076fbfefd12444914e5f6eb6873f7ac4226 |
C:\Users\Admin\AppData\Local\Temp\Reprint
| MD5 | d016144cf1f6b2f941625f8c91bc9edb |
| SHA1 | 0ee03e7f332c3effe2e1038053ad408055c7393a |
| SHA256 | 9b6766e3ddfa832cc61176bf1639537135c3bb4c642cb961884aeda1f925052c |
| SHA512 | 3c801c68ce1d2531fdbf66ed2261323801bd5cf5beab6fda01e8d670384d8eb1a01401ec01875fd8f19aacb0f5d15e1310c5055bc6a4d7cbf4354c9f3e82bd35 |
C:\Users\Admin\AppData\Local\Temp\Ashley
| MD5 | b9c506f811477178e35be383068361d4 |
| SHA1 | 24680f4b574b7c17b18456cb31029a5625798577 |
| SHA256 | 0cfc60c38e068415847709d791a5a609514808d6fe2f7be126cc40a6063adfe5 |
| SHA512 | df50a99357ff1c31b2bd3f9bb29354b52548a4dc5bac984c93e51699f978cab77c1ca5f0387fac34093c994f59835a40227311c606a8b71eb926746335891a4d |
C:\Users\Admin\AppData\Local\Temp\Loving
| MD5 | 723718b9c1abae54d8430a4bbacadcee |
| SHA1 | 83251b891e725bf5ae6bf39598e772cd1f8a9728 |
| SHA256 | cd0c2b57e820fcb23af85421597f1ca5963cdfc1fb4b396f061d2f52614ae574 |
| SHA512 | a57f49690691a1a9c89fa67bd007549bec74ba60097e2733326cbd6f4a0f1d52ee38d455d147760d0a9fe51e8142d77307e878f404dc2502d84bbb24ccac99db |
C:\Users\Admin\AppData\Local\Temp\Affordable
| MD5 | 4c5e799c621196dc4fc6771e3c96cbd5 |
| SHA1 | a4a90c95754467e1813f9783a6951d6a0f8a1e0e |
| SHA256 | dc177e37606aa508cb6d96a44a5fda2be6fd4d28cce22ce1b2ef6bc11802e3aa |
| SHA512 | 159b29f8d01f757022cb4e340856e6113148067a6429737686f575fa9c944da7e47ff221a30b8442cf007143443e180d5433e966b2e5d484eb71ad119f487a11 |
C:\Users\Admin\AppData\Local\Temp\Corner
| MD5 | f3877643d1a9f1c8022f263103529cb4 |
| SHA1 | 9715c267cfac9bbb6886679ebe4694199d7e6837 |
| SHA256 | 3efb51463c9d2cb5562e735886316f7a1a8d47b030730e1e623c72c3abf67f94 |
| SHA512 | 28bbbdfbca4449643b396da1eae81c9c0cf9b30d99b18c32f79c094826527f049a65daba4432891439387f68acd86808e085edf639263c462d3297f5a2d20268 |
C:\Users\Admin\AppData\Local\Temp\Bookmark
| MD5 | 3e8505364dc3304bc70311c32bf9f128 |
| SHA1 | cb63c5ffad496bb7713585b44b67605ffe91cc14 |
| SHA256 | a66cdd730dd24656f98d96365101a48937c748bc171a52cbdb1635835580fb35 |
| SHA512 | a47dd4650e553be791ec2f68a8539625a988aad13bb93f073d57e46d05e3f14f470a2cf826956c9a0046f5546336d89c619ee19880732a8563ea31d521a9f24f |
C:\Users\Admin\AppData\Local\Temp\Bidding
| MD5 | 5e30e1aba7f9211cce8638fc8692de5f |
| SHA1 | dd8b8770e859b740cccd60307ea202555c985d5f |
| SHA256 | b8ed3590e7a6d1f1ee89ef95f9f35eb7a913ab633f457456fa94fed1647b5809 |
| SHA512 | e3a8056b087e668b08b94bc1b8042dd5b355434482e063fb46e40816534db6f96c9c29880573016a12e217607e1352f09e139a85ea3118da25fc49f7b3f95014 |
C:\Users\Admin\AppData\Local\Temp\Unemployment
| MD5 | 791f43fafd1d17814e5a78cecc930cd5 |
| SHA1 | 989e7be42c91fed863c35d53800c15d4dec33955 |
| SHA256 | 532ce73c0827ec4805aa118408bf3ce80e73799ec84801e22096418e7712b059 |
| SHA512 | 980803cabab98432ac2099ad4f2ddc7c65c5b70cd95bb3ab2728d44616de5a87fc95cac47f73f09f01b27cb693c108f0e0e4a1204c5db183370fd464c2c32e13 |
C:\Users\Admin\AppData\Local\Temp\Ahead
| MD5 | fe2129cb507ce88c7ea4590fe8f2f678 |
| SHA1 | a4847d7660db6164f4e3388fe4bcf2d701db7aa5 |
| SHA256 | d5d4d1a7b0c763cc5f3387f479eb82db66fcfccbd46f4cbb1848c3653100ffa3 |
| SHA512 | a363b6d6bc11d7a9a61dbc2a0c4cf88558beeacbaf1d3429c66d4fcd6f341bcdd05dd3918763eaa2717b67b8dcada9d179d34628bfc058925a31d36dcecefb3e |
C:\Users\Admin\AppData\Local\Temp\Analyses
| MD5 | 3d08380d63d91de97e76917f6a44a637 |
| SHA1 | ecbd4a14a9065c69778d1dc3d1b68a7664e03b46 |
| SHA256 | ed127a64c552448825e755a6ff1c29b6e564fbb80230d0020a860efda257ea77 |
| SHA512 | 51f6b45efa17b359e51eae4349f8dc612054d7d2bd84cbb1916d24edd74a038eff08eba7798189c2f27fa452c9c6c40b507ecff865d997344173c84c392c3ee0 |
C:\Users\Admin\AppData\Local\Temp\Building
| MD5 | b49876ab1eff8b2df02e9b787006f0ff |
| SHA1 | ffd86bd490b819e08c8091508cce46fb8a387763 |
| SHA256 | c29a5c2fdd4d4e3fb210b461c86f936df956bca635a9b7b16e57f93186712eca |
| SHA512 | 4f102dad1a070afa36a38db47aafcc152a6a10e4a014400dc0345ceddbfb8220ed2a5c1beb3863768fb11b2fe1927d03a9d43dc678a2fe4b20b877fc5ae86c52 |
C:\Users\Admin\AppData\Local\Temp\Js
| MD5 | a3a8188db0e2036fd9e654c29b29ff89 |
| SHA1 | 6e3cd9fb1b1d04b1169d598b351ea5ecfe074ced |
| SHA256 | b56f3e3a9b0a9c29fa4d25f64882433729d2ae8d55c0e5fe1616949cea22a904 |
| SHA512 | 68784f2580e4f59251f40e9ec66e7b5603ef6d8ffe211d506b8aa6db76b6d3dbd37bb95cb7f41e9317480657b1317e8c58fdf77f4ad63badf6faa9e48efdaac2 |
C:\Users\Admin\AppData\Local\Temp\Foot
| MD5 | 228bbd79fbde000d23b9d086c9fafb75 |
| SHA1 | a15ab7e57f56e02c31cc3034b670b5aadfcd474c |
| SHA256 | eb944e498977d237eb5823d9170301adbdf82032819c542c5ffdf362cafe6855 |
| SHA512 | 029bb3dbb148eb00969b6bc4914525466605f40141dd40e8446acf434480bcaace629f8320fd0112bdf7636ca609fd34de2a288a41f7ea911fb6ce4f105ccfc7 |
C:\Users\Admin\AppData\Local\Temp\Washington
| MD5 | f85fff598c3fe45a3c11d6165e71daee |
| SHA1 | 50b2f42bc38fffaaaf57855145fd3b63f52dbcad |
| SHA256 | 729c4e1677fdd373a9ada950c37a80a1adc0621e1a70bd9f10c59c9b8b5408bf |
| SHA512 | b56e045e6ecb301670942701199ca7a08210b867d70dc432c57c9911d3669afb6bd9d353fdf0e4ec4a54285035135b3d4932fb1f84daa01b7187629fa2206a6d |
C:\Users\Admin\AppData\Local\Temp\Employers
| MD5 | f990d43ddabb564a6465719a1dd05ef9 |
| SHA1 | 2f558bff6ca8bc44ed32fbb020c8f9bcb16ef870 |
| SHA256 | 936b1b8516c6810ee1d9f5f35b1139bb0f944bf22bc2a313bbb009c7848a4195 |
| SHA512 | dc642de864ec790b54ed0d23f6d6a0b762dfe45e3f3cb8808acb3d5e3d39de76fa3994429f08dec4660ddc125a302facfb25d90acd935e5bc16cf0b7ab9425b6 |
C:\Users\Admin\AppData\Local\Temp\Paradise
| MD5 | ff64a9d30d418064fc7798cae526541a |
| SHA1 | 9866355bc15c9176e6df38d4c1e5fe1a0d5a4045 |
| SHA256 | a890b8ed6900c6734ddef25384d5eced8bbbcd6e3c3a817398a35b48f16aad94 |
| SHA512 | 9ee06257bf3088ed4579153d3ab22c50da26e46a127db19a266ced5fbd29fe976f29a9a025e4cc3bfef1329739de16cd09b07cdcf6f1abbec962ccec08d95682 |
C:\Users\Admin\AppData\Local\Temp\Soc
| MD5 | 5a36ac52e28bcc95c836123134df3aa8 |
| SHA1 | 6ce5eb4373b54fdeca672976ecd340fbdc6b5de7 |
| SHA256 | f8ffae60f3d2933499e151329156b52c3d722196d5f29e161711e76a9c92f6d3 |
| SHA512 | 166412f994daa938e89fd366a5822edf03406306cbb4943fce3e7a9e0ce6e7e7e8f9b0e0115118a8f323c635861daba9f2032826718a70913eff6172557134bd |
C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Temp\487900\h
| MD5 | 68256667ad889c2b18bbfac6a4dcde3c |
| SHA1 | ac84058d95406c5a7613708a69fec0a382035082 |
| SHA256 | 3fb33770893d0c484b6b70f69702d85c614ee4c0334a5f169298f8ddc80240fc |
| SHA512 | b85dc88a65489de7364532195cfc0de34ea982ee03f790e128e8e7ee66669b4dccd475638ff687e354e35294c5ace4d8e219d2a189b9792b3647f5fb2316932d |
memory/2804-345-0x0000000001010000-0x0000000001084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
| MD5 | 42ab6e035df99a43dbb879c86b620b91 |
| SHA1 | c6e116569d17d8142dbb217b1f8bfa95bc148c38 |
| SHA256 | 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b |
| SHA512 | 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5 |
memory/2804-348-0x0000000005CF0000-0x0000000006296000-memory.dmp
memory/2804-349-0x0000000005820000-0x00000000058B2000-memory.dmp
memory/2804-350-0x0000000005790000-0x000000000579A000-memory.dmp
memory/2804-351-0x0000000008DF0000-0x0000000009408000-memory.dmp
memory/2804-352-0x0000000008930000-0x0000000008A3A000-memory.dmp
memory/2804-353-0x0000000008870000-0x0000000008882000-memory.dmp
memory/2804-354-0x00000000088D0000-0x000000000890C000-memory.dmp
memory/2804-355-0x0000000008A40000-0x0000000008A8C000-memory.dmp
memory/2804-358-0x0000000009780000-0x00000000097E6000-memory.dmp
memory/2804-359-0x0000000009AB0000-0x0000000009B26000-memory.dmp
memory/2804-360-0x0000000009A80000-0x0000000009A9E000-memory.dmp
memory/2804-361-0x000000000A4F0000-0x000000000A6B2000-memory.dmp
memory/2804-362-0x000000000ABF0000-0x000000000B11C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 02:48
Reported
2024-07-24 02:53
Platform
win11-20240709-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bin\\api.dll\\2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bin\\api.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1164 wrote to memory of 1132 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1164 wrote to memory of 1132 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1164 wrote to memory of 1132 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bin\api.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\bin\api.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |