Malware Analysis Report

2024-10-16 05:22

Sample ID 240729-a823ysyemc
Target Executor.zip
SHA256 adddee304c8fb5e6cd48fa019e0776b70ca46920817d5495147858bd6c795e5b
Tags
cryptone packer discovery credential_access spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adddee304c8fb5e6cd48fa019e0776b70ca46920817d5495147858bd6c795e5b

Threat Level: Known bad

The file Executor.zip was found to be: Known bad.

Malicious Activity Summary

cryptone packer discovery credential_access spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Credentials from Password Stores: Credentials from Web Browsers

CryptOne packer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 00:54

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 00:53

Reported

2024-07-29 00:55

Platform

win7-20240708-en

Max time kernel

33s

Max time network

20s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2588 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Windows\Explorer.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\NamesGuards C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\IllustrationsNhl C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\CyberTomorrow C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\KevinShoppercom C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\ColourTribes C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\ModelingFramed C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\RegisteredAsking C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\GardenAngola C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\TeensCore C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 2632 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 2632 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 2632 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 2632 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2632 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2632 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2632 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 2588 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe

"C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Band Band.cmd & Band.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 277186

C:\Windows\SysWOW64\findstr.exe

findstr /V "inquiriesrowsforthcurrency" Cheapest

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Distributors + Expect + Producing + Greeting + Worcester + Licenses + Uh 277186\t

C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif

Russia.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 joMZLtjGsayRoxaCdkjXEahqO.joMZLtjGsayRoxaCdkjXEahqO udp
N/A 185.196.9.6:43164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Band

MD5 41f773e4635bf0ce3f6fd2e5e138b759
SHA1 ed2b04eb29390f90358bc552046c1bb8153c628d
SHA256 0dc4df658a22390fce5917fc2ea1068b9a627feae34993dbcfc87b253e0ac636
SHA512 96342ba3aa3aa7555ffcec2b959b65fdfdc9e0310e3e9b474f970c7419ed2cea27e1295c66d33d1d4f7704097d4d6334d4655765878f03ebd65e2672a6de0150

C:\Users\Admin\AppData\Local\Temp\Cheapest

MD5 e1ba7d84a25094a6ef733f86f482d1e5
SHA1 4b39e7264dc4eeec28f6c70461bfcd547215b315
SHA256 7a026e03662f42ecb2fad9cc17f851954f8e4c40ca06331b20e56d5f294ad632
SHA512 ae623800b5c7e6d9d060e9584666fb7c3b752c529e3084434f8ce603590df592a8233300d3b1e0450e92d63a30258eef6a45d0ee700b2d2d35ef22f22ab6a63d

C:\Users\Admin\AppData\Local\Temp\Examinations

MD5 3b8e6513b6e5b2cd7becd7b27ed16c77
SHA1 d65b57ffeae5ff3b3334ae738d5588dbf6bfaa6b
SHA256 f99f91bae0a1bd6427573fa22dea077fa39d4c2bbbf527fb6da4dbe3941ef1c9
SHA512 662d4ed978bcbd1614e23df6da10427d66763ff77a12a9d03da38afaf2a301d9a6feeeaa2fb2eb09be96b243435588c14a091c6cee35594f6d25c3dc2e2b26da

C:\Users\Admin\AppData\Local\Temp\Tub

MD5 55993dda77a793354db8374405db6fad
SHA1 8fd25d794dbf3afbab2024bf4c4482d32548ee30
SHA256 e465d7e75246179a247cb2232cbd642fefa726ad6aeb1c3b01173d484570c58c
SHA512 512a89564c38e1dcff703a9a159c83f8d48904a36561414e0c6757625948d53f65de44569dba27cdbdec6831960794fd4282efae2b2262e7b897179782795e1d

C:\Users\Admin\AppData\Local\Temp\Violin

MD5 d8a8aa7ceca6a826e83be6a8b7139369
SHA1 debde6e226b8e60172cddcba04214c3c19a0172f
SHA256 f4bf6099730715aaac83cd94866ee3e5550f9439d06de50a13c503ca432ce17d
SHA512 7ab23b333c711e78c5ecc3a568b150ca0bc59d699f9d0bdff3c56bd7451338df6f143721385b5587fa76b1e71b476c3bf1da492009afe2c0f85820147518d95c

C:\Users\Admin\AppData\Local\Temp\Message

MD5 62617e5d353f09661bc05014d9aa8901
SHA1 b3c72a0ec8b30784bd8442b86fdadd8f4c4dbf4f
SHA256 518263f7647d3f8fcc84371b94ad5ab718f0f428ce34918d979c5271b06ed1e7
SHA512 bda57f2efb7fe089b5af4c53c1af0623becae7f3a5c986050d8837a6f3386e1174847a429356feac407ea0f197da214687964f4c233c073282f70822c4df01cc

C:\Users\Admin\AppData\Local\Temp\Generic

MD5 9d62b5183d0608459fc6c0d5bb8b9925
SHA1 516cfa2395a86fdbc4a5ca811f1d0e9de86d3012
SHA256 43eb4c0e6f38f9de42b757118100a43a29d93c9b1c451018ad85b777c954b0b3
SHA512 0acebfd86ee08b36d7e4d8860c15c75740ce027581434629a248141a2cbc29a794c3af565f550112d2ff14514ee330ebb85a1ae28ff08cb1f11f6e00da604b4a

C:\Users\Admin\AppData\Local\Temp\Buses

MD5 4c08af32dc197d6587921648ace5bd94
SHA1 facfe515a0f6b46d1780c0ce4007e9fd7a513189
SHA256 acb3737d4421fd26f7032b9e450e7cf3857c460e5e9a85a31117653e5c03720c
SHA512 a069e3c19b707526a61d91973bf603d76521b05909f6112910656b7ca08b2be4739c129de3a1f188489e03ebb0c1205feb9e8b6a8a9178241240aea42d3fba48

C:\Users\Admin\AppData\Local\Temp\Molecules

MD5 dee8a55e2c4255bb37bd36c5ba3a3d9d
SHA1 faf5a27117148b2037e7631d10c5330096feab38
SHA256 1b7ae5b953166682aa8b65830993ccd8d009384b86af661a97dcfd499102d4c2
SHA512 cf5022a864bfd552fa44ef87591fd3ff91ce494acd243094b2f4149da403ad919dfd68ef32b0d280500e83ef1fd32261eea58314df8e29228e4f141af7082b81

C:\Users\Admin\AppData\Local\Temp\Tab

MD5 537a42de978494e1e949a41b487a859b
SHA1 5ddab4613eac4b33f2a4d84e8e8e034158d12d0e
SHA256 53050ebafb44ca64ecd5c34904d8d94941b85a0d9acb7b5b3a6ad6e8d6e18a2d
SHA512 4ea03d81d2e2000f4f41c34e383fe5e9d5ae97470954cd56f82fd605fc40429629cb2e681ad6524d82ca6ca142b46511dfaa246860daa45a68355a229ad27b58

C:\Users\Admin\AppData\Local\Temp\Lower

MD5 3595ee41f02f71d851030a1c40aeb7aa
SHA1 b6a6830d02184edeff215e20c46d68105498d712
SHA256 9cb894e8cf8f939bef7a31d9754f775983359df60b66c48112561915fe258dbf
SHA512 d26d7c156fe9d59ebeac8542793dfbff7fc38d7b6fb6e88582469290a967ad8fe7a629e370298944d42ca36f2fa09ef5e803de2d015ab35334fca7246e3fe86a

C:\Users\Admin\AppData\Local\Temp\Shit

MD5 3aae61bde5dd4835ff9fba8aea495965
SHA1 d8c923819e516dc86281d997620ee59071b00e27
SHA256 8bc6c5df3491dbfe7108d08bdc752e7b18a544543d38eeb2246ed31ae997f51b
SHA512 b62b4bcf535612d759a76751d08ec50043f5609b9bc4e603acfd04fa0f1a2adc0dd05ebd451ad0aaf5321ba10a35622ca0299d8a5600522ca748bd3a5eb55e1f

C:\Users\Admin\AppData\Local\Temp\Viewed

MD5 3a7f0541fd966d88a1300ce0fda8f24e
SHA1 5613d91936520f8db8a4f10e0b9915074820550d
SHA256 b50b93e11747246151018a73c9f0a42d7e0e518395a13a44c2caeccec430844e
SHA512 e6a099530a096e8730e8329b512823575fcda5104e3a3fe888ab249c2f47fd45c86608fc792b23ebfc22fba405cffaba4546eb612651ef913dafdb1b8b035a87

C:\Users\Admin\AppData\Local\Temp\Gothic

MD5 d553f3226cea122836c6e7f55445eb22
SHA1 8081faf63feb587a26a021c6bd1665d9bc22ed1c
SHA256 fd15e7f437745ba5c472eed35cfa3fd7314a83aa27ba63ecc6a994677927f12b
SHA512 42b9464a7671a5b5c1cfbe17c7cabe4325bd79b30ede843099d5213fb4e4c7a695bb1ab84cd4eedeed9c316b8eb60fcb9f474dd02cbadbc3ea001e45f3119ab8

C:\Users\Admin\AppData\Local\Temp\Beaches

MD5 caaed32ada79377aa884be3005d6600e
SHA1 16a2e4f6b84f63301304cca754b258e4fdee8951
SHA256 f89adaef9ff363466c38bc5a4b2abdef9b98fe0f6d1e62269ddadf96f9f2765c
SHA512 19d9990dc8fede7c9390cde7a10c08ed6a59e856ad99dd160cd346dfdae13023ea0ea245f102fab1b20f7a74cbb69a0b1dcf8f3948dfab81383bed3e39d1d03b

C:\Users\Admin\AppData\Local\Temp\Discussed

MD5 6326c7058eba779b4b6eb8a348b03913
SHA1 fff66c93e6f86f7c141c843b8fa736ee2b8864be
SHA256 53a6fe3ca28fd090c40663038239b79572b8fc2db242800f8771c195ead550ee
SHA512 e0df89db891907f00e79caac37598d6931459d61a0b6243e153f2a594e12c895c81ec0a9a4d32655fb2fb7c40ea4f09ee12ac920807de60d8b8657883b890fd0

C:\Users\Admin\AppData\Local\Temp\Pee

MD5 474b74537d1139558f175cbc0b8fe12d
SHA1 f1017b76223c66cb35a3695c397eb80bebdf6962
SHA256 05872c123e498b1c41147606d7329889ec7a8b72002e3c7549990ef193643cc2
SHA512 78249c45931c4b190d8d4106bdf615dd724b937f8de777fe9c8be21febd056a62e58a9f6531c5167d92ba357e5baabda7e4dde5e5bb4e72be492db9bd27b749c

C:\Users\Admin\AppData\Local\Temp\Tide

MD5 fa18382a5b8b5e946d1d0c600cb35071
SHA1 0a70a514f5dafc94508277f44c9e83df90de77b7
SHA256 4d8f1b053d0d6bfbe4d1f969c15c7b103e6495aff4a3110fcdd90f790edbc266
SHA512 0ac5cb9394b14b77e7d907b53da78aacbbe9a35f36505f2e3fd6ffc835f8b3539a4da0c7c20dc4ac1e6a1fa9d4f8ec432e08c03db6b0509e9ee92ad881fc1d57

C:\Users\Admin\AppData\Local\Temp\Pearl

MD5 8c00280bb9b25e3007133e6f62005205
SHA1 b7a977d65ffe9ee788a29e0c5d95f26c53267d50
SHA256 abf66598def79aaa718725b30a78e593d6cf0b25f1bec1df2d297be801433f43
SHA512 7110dfdb4a2ff3a82e90c722c6b5241b8d6f3e738ef28d7659935704019d93780c34bfb0552f031015db0c4f3b4cfbb216a0dca4c608083b02cd9e9b57efd487

C:\Users\Admin\AppData\Local\Temp\Little

MD5 1e98b8c12d48485237cbdfc0fcdc00f2
SHA1 d8064ba01307b8530bd68a37977f711f62d1c3e4
SHA256 13e883986800c429bb52c4dbdf53e72a23f889e87ded6c328aae9855285d16a6
SHA512 b6994f2052daefc9a02d6728ff3ca36eda5e5007e76b75e703f4e4cb8e644c8913593818b4737e6f7d6011cd38eb371339558447d35a039d144ce38e96263a53

C:\Users\Admin\AppData\Local\Temp\Pre

MD5 deacdede30078b3e2f2910d87f43cb65
SHA1 66c0c0e21f0f292e000f077a8e1cafd11fb68f1c
SHA256 6344a72432361f7d8f059a70f58f1d1b2877690dbbc8dd9a47acff86107e9194
SHA512 128e142bed5d7a017ab19c4ebfff4b48f3c75743a991d3191a7548119b85626755be7948f9fcc0aa2a5f3e8405734d89ae6b922bed02ab8f8b98cbab380870c6

C:\Users\Admin\AppData\Local\Temp\Respective

MD5 89db0ea36d6a1b7cc7008f6b3bd80fb3
SHA1 1184f9eb79da240232cae2b6ecf4fe077ea4e2fe
SHA256 5bf2d54d19a58bba4901b9bf21abb347a0e005a13a359ec0b37eb29b05e65b61
SHA512 3dcd82ee21a6c090436d3d3fe6aaf8aa20a2ab4d805a9ae6d2c9079cff6af02595197ec0b416beac17f043b139dc07f3cc855627531b4d42cd4467f5b33b4401

C:\Users\Admin\AppData\Local\Temp\Parental

MD5 a157756c8e87c510713e9c17efb27fbc
SHA1 0a9542243bb9ddc301f7a065a7f768ec8eafc4bf
SHA256 ad7adbfe91d887a3fcfa60e7ed0d8fd1edbc4f1a96f7d9e03bc8d34cb1d6d639
SHA512 ad23c3ba3e42e0bdf422b80acea5a12da19d21b17604317cdabfb5fa4fb37f2f4a6f7b6b82068fe9124bd989e5fa29c3703d4332c2ed59a9059da8521bc8fc62

C:\Users\Admin\AppData\Local\Temp\Yo

MD5 0ccaf05144c9d2b1c1884df6e4c33582
SHA1 f4ae18e4c89b55827e7788ae62d0bbe485e86459
SHA256 e685cc6ccad134866f445b2b72e8d299ee594a24e862812f5ec5349a57a0aa75
SHA512 6141ad17b1784b76d6ec5326b8461dd0448fd27f24c93df6ce149b3947c28ca43e8e01a9a8cd1c71244eea39b9711a896d2b13fed89b3e693aa7a43949ad51db

C:\Users\Admin\AppData\Local\Temp\Distributors

MD5 0a4057e2c17d502c9c2c338317072b5b
SHA1 dbc45f658a9f3645a09ebff5e322d06eb3edd029
SHA256 1361c77d0663b8e7d31a8cd6eadfd3a67298894e5dd3c5431564d776f6ae3776
SHA512 3c9a72693dd100a82f030b10ef227ab9339d532983a6dd11aae287fe61d7b6be24eb47e89cd928a895b112faeaf33b0b0c5c50f1300d8b4d32fdbcba18f8cc74

C:\Users\Admin\AppData\Local\Temp\Uh

MD5 7ae9dd3c7faff58ef7ce855c6f98f4f9
SHA1 f5cf08349803c694b3028026027bc229dec1169a
SHA256 4eb08bb029a54194658012d08dc10779eaa642b6891f1b46033fcc70c226af81
SHA512 5b6c2a2a7e0bd3ad0a2b1f6cad96cd2b4ab7c4523b7d8729e4f86f79b2d3c0da6dcdfe70dafc560498820b6d50115c8f0f8e8525d6ddf75ac3d971fb84189a9a

C:\Users\Admin\AppData\Local\Temp\Licenses

MD5 b7b089bcfc9bfee097d6d3018480e382
SHA1 58849a0e945d383c026970dd57d5ee905e75abff
SHA256 c977ed8f489d1c8ced4c54965eaf93981d1ad0a7818f0dbee3a72ab0b4f0a4ff
SHA512 9e75cb1e6d0966a6d91fb436001412b3330a384e1fd120ff684a6cc3bad3df7dfc4081293be561e63a971b5647c7b782f13c363ff99dc3aafdaf3ec5193a54a0

C:\Users\Admin\AppData\Local\Temp\Worcester

MD5 08a72f7db45d79af6db1591882411cb3
SHA1 78085c1c1d999d52c8e14a2e56ca898ba5fe3e0e
SHA256 dc839e2336da3148abe9c0ef8e46d0e50e5d1998c93e092bb98a1b40ccce5661
SHA512 c69ca4ee509ba82fac37f35f5eaaa70910a156a5d6b0171708a36905febd0bdc52dad5c0a0c7d2eb0afd3bd0ee96ee37730fc5bd54adefac63b7ac33b28d0108

C:\Users\Admin\AppData\Local\Temp\Greeting

MD5 13562f71944c152df48f0808273297e1
SHA1 be792d884d750acd9097a4d9f11aabbd18b6a1c3
SHA256 b3f4532bd291ea278b2f820f177aacf1eabae520cb1c9fb64748684586d2daa3
SHA512 3972390d23d36e30bc05749cd4f1c75046f7810dab4de9a8476dcba6475b328b693cb9fd0922552087250b798242f9025922d51a6420c83dd470f760ea876854

C:\Users\Admin\AppData\Local\Temp\Producing

MD5 bf95efbdd9c0ca9b57a4eb07704394ce
SHA1 3c7270cc9daf019113bffb87241613b5468931c8
SHA256 6a807295d6095f092b699189e70df4beb466baee63bc18bb4a600af838eef890
SHA512 64f71613c59bf21a891d8229e8342155bf5d0c24fb6209eb23161c6d5df10f600e480f0f3588e3ede9af6323fe560b2a2eb4267e079f2d4eb57b911fdb4ef0fc

C:\Users\Admin\AppData\Local\Temp\Expect

MD5 9cdaf56324d435a752925219335ad2cb
SHA1 32001407ec54b003e3e5b232b60f69b69dea6ade
SHA256 d248e1446fa011d3dce6b387fbf6e0291eb955772bd0505bcdf1b770b112722f
SHA512 117dc6157db4d989c37b8fffcb946a25f859cfb057b5749df12753d5f93ae17bbdeee2ce744ba39ac986bf244202b0e8867aa5d54eb5aaca69aa5d833cf81d7e

C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\277186\t

MD5 811b9e1a1e01f54890f93c8f54a2a401
SHA1 6316c94c40ab69de5a036f8cb2e7339f69d53aff
SHA256 d3ed28f8695559990b5dee4c24de3b7df9667bb724c136bc75f655ee13d7d929
SHA512 2d8a263eb134b0fa6db3e06b696da0df7de6e435472a4f2c32a8146d8568fcf730b36088d7645bb16d44b87384687a78b2b07c45af3490246c09338cff79d494

\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2704-75-0x0000000000090000-0x0000000000110000-memory.dmp

memory/2704-78-0x0000000000090000-0x0000000000110000-memory.dmp

memory/2704-77-0x0000000000090000-0x0000000000110000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 00:53

Reported

2024-07-29 00:56

Platform

win10v2004-20240709-en

Max time kernel

75s

Max time network

88s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4672 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Windows\Explorer.EXE
PID 4672 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Windows\Explorer.EXE
PID 4672 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Windows\Explorer.EXE

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\RegisteredAsking C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\IllustrationsNhl C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\CyberTomorrow C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\GardenAngola C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\ColourTribes C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\KevinShoppercom C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\TeensCore C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\ModelingFramed C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
File opened for modification C:\Windows\NamesGuards C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4952 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4952 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4952 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4952 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4952 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4952 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4952 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 4952 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 4952 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
PID 4952 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4952 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4952 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4672 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
PID 4672 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe

"C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Band Band.cmd & Band.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 277186

C:\Windows\SysWOW64\findstr.exe

findstr /V "inquiriesrowsforthcurrency" Cheapest

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Distributors + Expect + Producing + Greeting + Worcester + Licenses + Uh 277186\t

C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif

Russia.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 joMZLtjGsayRoxaCdkjXEahqO.joMZLtjGsayRoxaCdkjXEahqO udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CH 185.196.9.6:43164 tcp
US 8.8.8.8:53 6.9.196.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Band

MD5 41f773e4635bf0ce3f6fd2e5e138b759
SHA1 ed2b04eb29390f90358bc552046c1bb8153c628d
SHA256 0dc4df658a22390fce5917fc2ea1068b9a627feae34993dbcfc87b253e0ac636
SHA512 96342ba3aa3aa7555ffcec2b959b65fdfdc9e0310e3e9b474f970c7419ed2cea27e1295c66d33d1d4f7704097d4d6334d4655765878f03ebd65e2672a6de0150

C:\Users\Admin\AppData\Local\Temp\Cheapest

MD5 e1ba7d84a25094a6ef733f86f482d1e5
SHA1 4b39e7264dc4eeec28f6c70461bfcd547215b315
SHA256 7a026e03662f42ecb2fad9cc17f851954f8e4c40ca06331b20e56d5f294ad632
SHA512 ae623800b5c7e6d9d060e9584666fb7c3b752c529e3084434f8ce603590df592a8233300d3b1e0450e92d63a30258eef6a45d0ee700b2d2d35ef22f22ab6a63d

C:\Users\Admin\AppData\Local\Temp\Examinations

MD5 3b8e6513b6e5b2cd7becd7b27ed16c77
SHA1 d65b57ffeae5ff3b3334ae738d5588dbf6bfaa6b
SHA256 f99f91bae0a1bd6427573fa22dea077fa39d4c2bbbf527fb6da4dbe3941ef1c9
SHA512 662d4ed978bcbd1614e23df6da10427d66763ff77a12a9d03da38afaf2a301d9a6feeeaa2fb2eb09be96b243435588c14a091c6cee35594f6d25c3dc2e2b26da

C:\Users\Admin\AppData\Local\Temp\Tub

MD5 55993dda77a793354db8374405db6fad
SHA1 8fd25d794dbf3afbab2024bf4c4482d32548ee30
SHA256 e465d7e75246179a247cb2232cbd642fefa726ad6aeb1c3b01173d484570c58c
SHA512 512a89564c38e1dcff703a9a159c83f8d48904a36561414e0c6757625948d53f65de44569dba27cdbdec6831960794fd4282efae2b2262e7b897179782795e1d

C:\Users\Admin\AppData\Local\Temp\Tide

MD5 fa18382a5b8b5e946d1d0c600cb35071
SHA1 0a70a514f5dafc94508277f44c9e83df90de77b7
SHA256 4d8f1b053d0d6bfbe4d1f969c15c7b103e6495aff4a3110fcdd90f790edbc266
SHA512 0ac5cb9394b14b77e7d907b53da78aacbbe9a35f36505f2e3fd6ffc835f8b3539a4da0c7c20dc4ac1e6a1fa9d4f8ec432e08c03db6b0509e9ee92ad881fc1d57

C:\Users\Admin\AppData\Local\Temp\Pearl

MD5 8c00280bb9b25e3007133e6f62005205
SHA1 b7a977d65ffe9ee788a29e0c5d95f26c53267d50
SHA256 abf66598def79aaa718725b30a78e593d6cf0b25f1bec1df2d297be801433f43
SHA512 7110dfdb4a2ff3a82e90c722c6b5241b8d6f3e738ef28d7659935704019d93780c34bfb0552f031015db0c4f3b4cfbb216a0dca4c608083b02cd9e9b57efd487

C:\Users\Admin\AppData\Local\Temp\Respective

MD5 89db0ea36d6a1b7cc7008f6b3bd80fb3
SHA1 1184f9eb79da240232cae2b6ecf4fe077ea4e2fe
SHA256 5bf2d54d19a58bba4901b9bf21abb347a0e005a13a359ec0b37eb29b05e65b61
SHA512 3dcd82ee21a6c090436d3d3fe6aaf8aa20a2ab4d805a9ae6d2c9079cff6af02595197ec0b416beac17f043b139dc07f3cc855627531b4d42cd4467f5b33b4401

C:\Users\Admin\AppData\Local\Temp\Little

MD5 1e98b8c12d48485237cbdfc0fcdc00f2
SHA1 d8064ba01307b8530bd68a37977f711f62d1c3e4
SHA256 13e883986800c429bb52c4dbdf53e72a23f889e87ded6c328aae9855285d16a6
SHA512 b6994f2052daefc9a02d6728ff3ca36eda5e5007e76b75e703f4e4cb8e644c8913593818b4737e6f7d6011cd38eb371339558447d35a039d144ce38e96263a53

C:\Users\Admin\AppData\Local\Temp\Pre

MD5 deacdede30078b3e2f2910d87f43cb65
SHA1 66c0c0e21f0f292e000f077a8e1cafd11fb68f1c
SHA256 6344a72432361f7d8f059a70f58f1d1b2877690dbbc8dd9a47acff86107e9194
SHA512 128e142bed5d7a017ab19c4ebfff4b48f3c75743a991d3191a7548119b85626755be7948f9fcc0aa2a5f3e8405734d89ae6b922bed02ab8f8b98cbab380870c6

C:\Users\Admin\AppData\Local\Temp\Discussed

MD5 6326c7058eba779b4b6eb8a348b03913
SHA1 fff66c93e6f86f7c141c843b8fa736ee2b8864be
SHA256 53a6fe3ca28fd090c40663038239b79572b8fc2db242800f8771c195ead550ee
SHA512 e0df89db891907f00e79caac37598d6931459d61a0b6243e153f2a594e12c895c81ec0a9a4d32655fb2fb7c40ea4f09ee12ac920807de60d8b8657883b890fd0

C:\Users\Admin\AppData\Local\Temp\Pee

MD5 474b74537d1139558f175cbc0b8fe12d
SHA1 f1017b76223c66cb35a3695c397eb80bebdf6962
SHA256 05872c123e498b1c41147606d7329889ec7a8b72002e3c7549990ef193643cc2
SHA512 78249c45931c4b190d8d4106bdf615dd724b937f8de777fe9c8be21febd056a62e58a9f6531c5167d92ba357e5baabda7e4dde5e5bb4e72be492db9bd27b749c

C:\Users\Admin\AppData\Local\Temp\Beaches

MD5 caaed32ada79377aa884be3005d6600e
SHA1 16a2e4f6b84f63301304cca754b258e4fdee8951
SHA256 f89adaef9ff363466c38bc5a4b2abdef9b98fe0f6d1e62269ddadf96f9f2765c
SHA512 19d9990dc8fede7c9390cde7a10c08ed6a59e856ad99dd160cd346dfdae13023ea0ea245f102fab1b20f7a74cbb69a0b1dcf8f3948dfab81383bed3e39d1d03b

C:\Users\Admin\AppData\Local\Temp\Parental

MD5 a157756c8e87c510713e9c17efb27fbc
SHA1 0a9542243bb9ddc301f7a065a7f768ec8eafc4bf
SHA256 ad7adbfe91d887a3fcfa60e7ed0d8fd1edbc4f1a96f7d9e03bc8d34cb1d6d639
SHA512 ad23c3ba3e42e0bdf422b80acea5a12da19d21b17604317cdabfb5fa4fb37f2f4a6f7b6b82068fe9124bd989e5fa29c3703d4332c2ed59a9059da8521bc8fc62

C:\Users\Admin\AppData\Local\Temp\Gothic

MD5 d553f3226cea122836c6e7f55445eb22
SHA1 8081faf63feb587a26a021c6bd1665d9bc22ed1c
SHA256 fd15e7f437745ba5c472eed35cfa3fd7314a83aa27ba63ecc6a994677927f12b
SHA512 42b9464a7671a5b5c1cfbe17c7cabe4325bd79b30ede843099d5213fb4e4c7a695bb1ab84cd4eedeed9c316b8eb60fcb9f474dd02cbadbc3ea001e45f3119ab8

C:\Users\Admin\AppData\Local\Temp\Yo

MD5 0ccaf05144c9d2b1c1884df6e4c33582
SHA1 f4ae18e4c89b55827e7788ae62d0bbe485e86459
SHA256 e685cc6ccad134866f445b2b72e8d299ee594a24e862812f5ec5349a57a0aa75
SHA512 6141ad17b1784b76d6ec5326b8461dd0448fd27f24c93df6ce149b3947c28ca43e8e01a9a8cd1c71244eea39b9711a896d2b13fed89b3e693aa7a43949ad51db

C:\Users\Admin\AppData\Local\Temp\Viewed

MD5 3a7f0541fd966d88a1300ce0fda8f24e
SHA1 5613d91936520f8db8a4f10e0b9915074820550d
SHA256 b50b93e11747246151018a73c9f0a42d7e0e518395a13a44c2caeccec430844e
SHA512 e6a099530a096e8730e8329b512823575fcda5104e3a3fe888ab249c2f47fd45c86608fc792b23ebfc22fba405cffaba4546eb612651ef913dafdb1b8b035a87

C:\Users\Admin\AppData\Local\Temp\Shit

MD5 3aae61bde5dd4835ff9fba8aea495965
SHA1 d8c923819e516dc86281d997620ee59071b00e27
SHA256 8bc6c5df3491dbfe7108d08bdc752e7b18a544543d38eeb2246ed31ae997f51b
SHA512 b62b4bcf535612d759a76751d08ec50043f5609b9bc4e603acfd04fa0f1a2adc0dd05ebd451ad0aaf5321ba10a35622ca0299d8a5600522ca748bd3a5eb55e1f

C:\Users\Admin\AppData\Local\Temp\Lower

MD5 3595ee41f02f71d851030a1c40aeb7aa
SHA1 b6a6830d02184edeff215e20c46d68105498d712
SHA256 9cb894e8cf8f939bef7a31d9754f775983359df60b66c48112561915fe258dbf
SHA512 d26d7c156fe9d59ebeac8542793dfbff7fc38d7b6fb6e88582469290a967ad8fe7a629e370298944d42ca36f2fa09ef5e803de2d015ab35334fca7246e3fe86a

C:\Users\Admin\AppData\Local\Temp\Tab

MD5 537a42de978494e1e949a41b487a859b
SHA1 5ddab4613eac4b33f2a4d84e8e8e034158d12d0e
SHA256 53050ebafb44ca64ecd5c34904d8d94941b85a0d9acb7b5b3a6ad6e8d6e18a2d
SHA512 4ea03d81d2e2000f4f41c34e383fe5e9d5ae97470954cd56f82fd605fc40429629cb2e681ad6524d82ca6ca142b46511dfaa246860daa45a68355a229ad27b58

C:\Users\Admin\AppData\Local\Temp\Molecules

MD5 dee8a55e2c4255bb37bd36c5ba3a3d9d
SHA1 faf5a27117148b2037e7631d10c5330096feab38
SHA256 1b7ae5b953166682aa8b65830993ccd8d009384b86af661a97dcfd499102d4c2
SHA512 cf5022a864bfd552fa44ef87591fd3ff91ce494acd243094b2f4149da403ad919dfd68ef32b0d280500e83ef1fd32261eea58314df8e29228e4f141af7082b81

C:\Users\Admin\AppData\Local\Temp\Buses

MD5 4c08af32dc197d6587921648ace5bd94
SHA1 facfe515a0f6b46d1780c0ce4007e9fd7a513189
SHA256 acb3737d4421fd26f7032b9e450e7cf3857c460e5e9a85a31117653e5c03720c
SHA512 a069e3c19b707526a61d91973bf603d76521b05909f6112910656b7ca08b2be4739c129de3a1f188489e03ebb0c1205feb9e8b6a8a9178241240aea42d3fba48

C:\Users\Admin\AppData\Local\Temp\Generic

MD5 9d62b5183d0608459fc6c0d5bb8b9925
SHA1 516cfa2395a86fdbc4a5ca811f1d0e9de86d3012
SHA256 43eb4c0e6f38f9de42b757118100a43a29d93c9b1c451018ad85b777c954b0b3
SHA512 0acebfd86ee08b36d7e4d8860c15c75740ce027581434629a248141a2cbc29a794c3af565f550112d2ff14514ee330ebb85a1ae28ff08cb1f11f6e00da604b4a

C:\Users\Admin\AppData\Local\Temp\Message

MD5 62617e5d353f09661bc05014d9aa8901
SHA1 b3c72a0ec8b30784bd8442b86fdadd8f4c4dbf4f
SHA256 518263f7647d3f8fcc84371b94ad5ab718f0f428ce34918d979c5271b06ed1e7
SHA512 bda57f2efb7fe089b5af4c53c1af0623becae7f3a5c986050d8837a6f3386e1174847a429356feac407ea0f197da214687964f4c233c073282f70822c4df01cc

C:\Users\Admin\AppData\Local\Temp\Violin

MD5 d8a8aa7ceca6a826e83be6a8b7139369
SHA1 debde6e226b8e60172cddcba04214c3c19a0172f
SHA256 f4bf6099730715aaac83cd94866ee3e5550f9439d06de50a13c503ca432ce17d
SHA512 7ab23b333c711e78c5ecc3a568b150ca0bc59d699f9d0bdff3c56bd7451338df6f143721385b5587fa76b1e71b476c3bf1da492009afe2c0f85820147518d95c

C:\Users\Admin\AppData\Local\Temp\Distributors

MD5 0a4057e2c17d502c9c2c338317072b5b
SHA1 dbc45f658a9f3645a09ebff5e322d06eb3edd029
SHA256 1361c77d0663b8e7d31a8cd6eadfd3a67298894e5dd3c5431564d776f6ae3776
SHA512 3c9a72693dd100a82f030b10ef227ab9339d532983a6dd11aae287fe61d7b6be24eb47e89cd928a895b112faeaf33b0b0c5c50f1300d8b4d32fdbcba18f8cc74

C:\Users\Admin\AppData\Local\Temp\Greeting

MD5 13562f71944c152df48f0808273297e1
SHA1 be792d884d750acd9097a4d9f11aabbd18b6a1c3
SHA256 b3f4532bd291ea278b2f820f177aacf1eabae520cb1c9fb64748684586d2daa3
SHA512 3972390d23d36e30bc05749cd4f1c75046f7810dab4de9a8476dcba6475b328b693cb9fd0922552087250b798242f9025922d51a6420c83dd470f760ea876854

C:\Users\Admin\AppData\Local\Temp\Producing

MD5 bf95efbdd9c0ca9b57a4eb07704394ce
SHA1 3c7270cc9daf019113bffb87241613b5468931c8
SHA256 6a807295d6095f092b699189e70df4beb466baee63bc18bb4a600af838eef890
SHA512 64f71613c59bf21a891d8229e8342155bf5d0c24fb6209eb23161c6d5df10f600e480f0f3588e3ede9af6323fe560b2a2eb4267e079f2d4eb57b911fdb4ef0fc

C:\Users\Admin\AppData\Local\Temp\Expect

MD5 9cdaf56324d435a752925219335ad2cb
SHA1 32001407ec54b003e3e5b232b60f69b69dea6ade
SHA256 d248e1446fa011d3dce6b387fbf6e0291eb955772bd0505bcdf1b770b112722f
SHA512 117dc6157db4d989c37b8fffcb946a25f859cfb057b5749df12753d5f93ae17bbdeee2ce744ba39ac986bf244202b0e8867aa5d54eb5aaca69aa5d833cf81d7e

C:\Users\Admin\AppData\Local\Temp\Uh

MD5 7ae9dd3c7faff58ef7ce855c6f98f4f9
SHA1 f5cf08349803c694b3028026027bc229dec1169a
SHA256 4eb08bb029a54194658012d08dc10779eaa642b6891f1b46033fcc70c226af81
SHA512 5b6c2a2a7e0bd3ad0a2b1f6cad96cd2b4ab7c4523b7d8729e4f86f79b2d3c0da6dcdfe70dafc560498820b6d50115c8f0f8e8525d6ddf75ac3d971fb84189a9a

C:\Users\Admin\AppData\Local\Temp\Licenses

MD5 b7b089bcfc9bfee097d6d3018480e382
SHA1 58849a0e945d383c026970dd57d5ee905e75abff
SHA256 c977ed8f489d1c8ced4c54965eaf93981d1ad0a7818f0dbee3a72ab0b4f0a4ff
SHA512 9e75cb1e6d0966a6d91fb436001412b3330a384e1fd120ff684a6cc3bad3df7dfc4081293be561e63a971b5647c7b782f13c363ff99dc3aafdaf3ec5193a54a0

C:\Users\Admin\AppData\Local\Temp\Worcester

MD5 08a72f7db45d79af6db1591882411cb3
SHA1 78085c1c1d999d52c8e14a2e56ca898ba5fe3e0e
SHA256 dc839e2336da3148abe9c0ef8e46d0e50e5d1998c93e092bb98a1b40ccce5661
SHA512 c69ca4ee509ba82fac37f35f5eaaa70910a156a5d6b0171708a36905febd0bdc52dad5c0a0c7d2eb0afd3bd0ee96ee37730fc5bd54adefac63b7ac33b28d0108

C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\277186\t

MD5 811b9e1a1e01f54890f93c8f54a2a401
SHA1 6316c94c40ab69de5a036f8cb2e7339f69d53aff
SHA256 d3ed28f8695559990b5dee4c24de3b7df9667bb724c136bc75f655ee13d7d929
SHA512 2d8a263eb134b0fa6db3e06b696da0df7de6e435472a4f2c32a8146d8568fcf730b36088d7645bb16d44b87384687a78b2b07c45af3490246c09338cff79d494

C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/4172-75-0x0000000000D20000-0x0000000000DA0000-memory.dmp

memory/4172-78-0x0000000005770000-0x0000000005D14000-memory.dmp

memory/4172-79-0x00000000052A0000-0x0000000005332000-memory.dmp

memory/4172-80-0x0000000005360000-0x000000000536A000-memory.dmp

memory/4172-81-0x0000000008980000-0x0000000008F98000-memory.dmp

memory/4172-82-0x0000000008500000-0x000000000860A000-memory.dmp

memory/4172-83-0x0000000008440000-0x0000000008452000-memory.dmp

memory/4172-84-0x00000000084A0000-0x00000000084DC000-memory.dmp

memory/4172-85-0x0000000008610000-0x000000000865C000-memory.dmp

memory/4172-88-0x0000000009330000-0x0000000009396000-memory.dmp

memory/4172-89-0x0000000009670000-0x00000000096E6000-memory.dmp

memory/4172-90-0x0000000009650000-0x000000000966E000-memory.dmp

memory/4172-91-0x000000000A1E0000-0x000000000A3A2000-memory.dmp

memory/4172-92-0x000000000A8E0000-0x000000000AE0C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-29 00:53

Reported

2024-07-29 00:57

Platform

win7-20240704-en

Max time kernel

120s

Max time network

129s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.spl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.23" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\bin\\api.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 2356 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-29 00:53

Reported

2024-07-29 00:57

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

159s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ = "ISimpleTextSelection" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\bin\\api.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\bin\\api.dll\\2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 1688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4704 wrote to memory of 1688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4704 wrote to memory of 1688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A