Analysis Overview
SHA256
adddee304c8fb5e6cd48fa019e0776b70ca46920817d5495147858bd6c795e5b
Threat Level: Known bad
The file Executor.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Credentials from Password Stores: Credentials from Web Browsers
CryptOne packer
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 00:54
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 00:53
Reported
2024-07-29 00:55
Platform
win7-20240708-en
Max time kernel
33s
Max time network
20s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2588 created 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\NamesGuards | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\IllustrationsNhl | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\CyberTomorrow | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\KevinShoppercom | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\ColourTribes | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\ModelingFramed | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\RegisteredAsking | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\GardenAngola | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\TeensCore | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe
"C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Band Band.cmd & Band.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 277186
C:\Windows\SysWOW64\findstr.exe
findstr /V "inquiriesrowsforthcurrency" Cheapest
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Distributors + Expect + Producing + Greeting + Worcester + Licenses + Uh 277186\t
C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
Russia.pif t
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | joMZLtjGsayRoxaCdkjXEahqO.joMZLtjGsayRoxaCdkjXEahqO | udp |
| N/A | 185.196.9.6:43164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Band
| MD5 | 41f773e4635bf0ce3f6fd2e5e138b759 |
| SHA1 | ed2b04eb29390f90358bc552046c1bb8153c628d |
| SHA256 | 0dc4df658a22390fce5917fc2ea1068b9a627feae34993dbcfc87b253e0ac636 |
| SHA512 | 96342ba3aa3aa7555ffcec2b959b65fdfdc9e0310e3e9b474f970c7419ed2cea27e1295c66d33d1d4f7704097d4d6334d4655765878f03ebd65e2672a6de0150 |
C:\Users\Admin\AppData\Local\Temp\Cheapest
| MD5 | e1ba7d84a25094a6ef733f86f482d1e5 |
| SHA1 | 4b39e7264dc4eeec28f6c70461bfcd547215b315 |
| SHA256 | 7a026e03662f42ecb2fad9cc17f851954f8e4c40ca06331b20e56d5f294ad632 |
| SHA512 | ae623800b5c7e6d9d060e9584666fb7c3b752c529e3084434f8ce603590df592a8233300d3b1e0450e92d63a30258eef6a45d0ee700b2d2d35ef22f22ab6a63d |
C:\Users\Admin\AppData\Local\Temp\Examinations
| MD5 | 3b8e6513b6e5b2cd7becd7b27ed16c77 |
| SHA1 | d65b57ffeae5ff3b3334ae738d5588dbf6bfaa6b |
| SHA256 | f99f91bae0a1bd6427573fa22dea077fa39d4c2bbbf527fb6da4dbe3941ef1c9 |
| SHA512 | 662d4ed978bcbd1614e23df6da10427d66763ff77a12a9d03da38afaf2a301d9a6feeeaa2fb2eb09be96b243435588c14a091c6cee35594f6d25c3dc2e2b26da |
C:\Users\Admin\AppData\Local\Temp\Tub
| MD5 | 55993dda77a793354db8374405db6fad |
| SHA1 | 8fd25d794dbf3afbab2024bf4c4482d32548ee30 |
| SHA256 | e465d7e75246179a247cb2232cbd642fefa726ad6aeb1c3b01173d484570c58c |
| SHA512 | 512a89564c38e1dcff703a9a159c83f8d48904a36561414e0c6757625948d53f65de44569dba27cdbdec6831960794fd4282efae2b2262e7b897179782795e1d |
C:\Users\Admin\AppData\Local\Temp\Violin
| MD5 | d8a8aa7ceca6a826e83be6a8b7139369 |
| SHA1 | debde6e226b8e60172cddcba04214c3c19a0172f |
| SHA256 | f4bf6099730715aaac83cd94866ee3e5550f9439d06de50a13c503ca432ce17d |
| SHA512 | 7ab23b333c711e78c5ecc3a568b150ca0bc59d699f9d0bdff3c56bd7451338df6f143721385b5587fa76b1e71b476c3bf1da492009afe2c0f85820147518d95c |
C:\Users\Admin\AppData\Local\Temp\Message
| MD5 | 62617e5d353f09661bc05014d9aa8901 |
| SHA1 | b3c72a0ec8b30784bd8442b86fdadd8f4c4dbf4f |
| SHA256 | 518263f7647d3f8fcc84371b94ad5ab718f0f428ce34918d979c5271b06ed1e7 |
| SHA512 | bda57f2efb7fe089b5af4c53c1af0623becae7f3a5c986050d8837a6f3386e1174847a429356feac407ea0f197da214687964f4c233c073282f70822c4df01cc |
C:\Users\Admin\AppData\Local\Temp\Generic
| MD5 | 9d62b5183d0608459fc6c0d5bb8b9925 |
| SHA1 | 516cfa2395a86fdbc4a5ca811f1d0e9de86d3012 |
| SHA256 | 43eb4c0e6f38f9de42b757118100a43a29d93c9b1c451018ad85b777c954b0b3 |
| SHA512 | 0acebfd86ee08b36d7e4d8860c15c75740ce027581434629a248141a2cbc29a794c3af565f550112d2ff14514ee330ebb85a1ae28ff08cb1f11f6e00da604b4a |
C:\Users\Admin\AppData\Local\Temp\Buses
| MD5 | 4c08af32dc197d6587921648ace5bd94 |
| SHA1 | facfe515a0f6b46d1780c0ce4007e9fd7a513189 |
| SHA256 | acb3737d4421fd26f7032b9e450e7cf3857c460e5e9a85a31117653e5c03720c |
| SHA512 | a069e3c19b707526a61d91973bf603d76521b05909f6112910656b7ca08b2be4739c129de3a1f188489e03ebb0c1205feb9e8b6a8a9178241240aea42d3fba48 |
C:\Users\Admin\AppData\Local\Temp\Molecules
| MD5 | dee8a55e2c4255bb37bd36c5ba3a3d9d |
| SHA1 | faf5a27117148b2037e7631d10c5330096feab38 |
| SHA256 | 1b7ae5b953166682aa8b65830993ccd8d009384b86af661a97dcfd499102d4c2 |
| SHA512 | cf5022a864bfd552fa44ef87591fd3ff91ce494acd243094b2f4149da403ad919dfd68ef32b0d280500e83ef1fd32261eea58314df8e29228e4f141af7082b81 |
C:\Users\Admin\AppData\Local\Temp\Tab
| MD5 | 537a42de978494e1e949a41b487a859b |
| SHA1 | 5ddab4613eac4b33f2a4d84e8e8e034158d12d0e |
| SHA256 | 53050ebafb44ca64ecd5c34904d8d94941b85a0d9acb7b5b3a6ad6e8d6e18a2d |
| SHA512 | 4ea03d81d2e2000f4f41c34e383fe5e9d5ae97470954cd56f82fd605fc40429629cb2e681ad6524d82ca6ca142b46511dfaa246860daa45a68355a229ad27b58 |
C:\Users\Admin\AppData\Local\Temp\Lower
| MD5 | 3595ee41f02f71d851030a1c40aeb7aa |
| SHA1 | b6a6830d02184edeff215e20c46d68105498d712 |
| SHA256 | 9cb894e8cf8f939bef7a31d9754f775983359df60b66c48112561915fe258dbf |
| SHA512 | d26d7c156fe9d59ebeac8542793dfbff7fc38d7b6fb6e88582469290a967ad8fe7a629e370298944d42ca36f2fa09ef5e803de2d015ab35334fca7246e3fe86a |
C:\Users\Admin\AppData\Local\Temp\Shit
| MD5 | 3aae61bde5dd4835ff9fba8aea495965 |
| SHA1 | d8c923819e516dc86281d997620ee59071b00e27 |
| SHA256 | 8bc6c5df3491dbfe7108d08bdc752e7b18a544543d38eeb2246ed31ae997f51b |
| SHA512 | b62b4bcf535612d759a76751d08ec50043f5609b9bc4e603acfd04fa0f1a2adc0dd05ebd451ad0aaf5321ba10a35622ca0299d8a5600522ca748bd3a5eb55e1f |
C:\Users\Admin\AppData\Local\Temp\Viewed
| MD5 | 3a7f0541fd966d88a1300ce0fda8f24e |
| SHA1 | 5613d91936520f8db8a4f10e0b9915074820550d |
| SHA256 | b50b93e11747246151018a73c9f0a42d7e0e518395a13a44c2caeccec430844e |
| SHA512 | e6a099530a096e8730e8329b512823575fcda5104e3a3fe888ab249c2f47fd45c86608fc792b23ebfc22fba405cffaba4546eb612651ef913dafdb1b8b035a87 |
C:\Users\Admin\AppData\Local\Temp\Gothic
| MD5 | d553f3226cea122836c6e7f55445eb22 |
| SHA1 | 8081faf63feb587a26a021c6bd1665d9bc22ed1c |
| SHA256 | fd15e7f437745ba5c472eed35cfa3fd7314a83aa27ba63ecc6a994677927f12b |
| SHA512 | 42b9464a7671a5b5c1cfbe17c7cabe4325bd79b30ede843099d5213fb4e4c7a695bb1ab84cd4eedeed9c316b8eb60fcb9f474dd02cbadbc3ea001e45f3119ab8 |
C:\Users\Admin\AppData\Local\Temp\Beaches
| MD5 | caaed32ada79377aa884be3005d6600e |
| SHA1 | 16a2e4f6b84f63301304cca754b258e4fdee8951 |
| SHA256 | f89adaef9ff363466c38bc5a4b2abdef9b98fe0f6d1e62269ddadf96f9f2765c |
| SHA512 | 19d9990dc8fede7c9390cde7a10c08ed6a59e856ad99dd160cd346dfdae13023ea0ea245f102fab1b20f7a74cbb69a0b1dcf8f3948dfab81383bed3e39d1d03b |
C:\Users\Admin\AppData\Local\Temp\Discussed
| MD5 | 6326c7058eba779b4b6eb8a348b03913 |
| SHA1 | fff66c93e6f86f7c141c843b8fa736ee2b8864be |
| SHA256 | 53a6fe3ca28fd090c40663038239b79572b8fc2db242800f8771c195ead550ee |
| SHA512 | e0df89db891907f00e79caac37598d6931459d61a0b6243e153f2a594e12c895c81ec0a9a4d32655fb2fb7c40ea4f09ee12ac920807de60d8b8657883b890fd0 |
C:\Users\Admin\AppData\Local\Temp\Pee
| MD5 | 474b74537d1139558f175cbc0b8fe12d |
| SHA1 | f1017b76223c66cb35a3695c397eb80bebdf6962 |
| SHA256 | 05872c123e498b1c41147606d7329889ec7a8b72002e3c7549990ef193643cc2 |
| SHA512 | 78249c45931c4b190d8d4106bdf615dd724b937f8de777fe9c8be21febd056a62e58a9f6531c5167d92ba357e5baabda7e4dde5e5bb4e72be492db9bd27b749c |
C:\Users\Admin\AppData\Local\Temp\Tide
| MD5 | fa18382a5b8b5e946d1d0c600cb35071 |
| SHA1 | 0a70a514f5dafc94508277f44c9e83df90de77b7 |
| SHA256 | 4d8f1b053d0d6bfbe4d1f969c15c7b103e6495aff4a3110fcdd90f790edbc266 |
| SHA512 | 0ac5cb9394b14b77e7d907b53da78aacbbe9a35f36505f2e3fd6ffc835f8b3539a4da0c7c20dc4ac1e6a1fa9d4f8ec432e08c03db6b0509e9ee92ad881fc1d57 |
C:\Users\Admin\AppData\Local\Temp\Pearl
| MD5 | 8c00280bb9b25e3007133e6f62005205 |
| SHA1 | b7a977d65ffe9ee788a29e0c5d95f26c53267d50 |
| SHA256 | abf66598def79aaa718725b30a78e593d6cf0b25f1bec1df2d297be801433f43 |
| SHA512 | 7110dfdb4a2ff3a82e90c722c6b5241b8d6f3e738ef28d7659935704019d93780c34bfb0552f031015db0c4f3b4cfbb216a0dca4c608083b02cd9e9b57efd487 |
C:\Users\Admin\AppData\Local\Temp\Little
| MD5 | 1e98b8c12d48485237cbdfc0fcdc00f2 |
| SHA1 | d8064ba01307b8530bd68a37977f711f62d1c3e4 |
| SHA256 | 13e883986800c429bb52c4dbdf53e72a23f889e87ded6c328aae9855285d16a6 |
| SHA512 | b6994f2052daefc9a02d6728ff3ca36eda5e5007e76b75e703f4e4cb8e644c8913593818b4737e6f7d6011cd38eb371339558447d35a039d144ce38e96263a53 |
C:\Users\Admin\AppData\Local\Temp\Pre
| MD5 | deacdede30078b3e2f2910d87f43cb65 |
| SHA1 | 66c0c0e21f0f292e000f077a8e1cafd11fb68f1c |
| SHA256 | 6344a72432361f7d8f059a70f58f1d1b2877690dbbc8dd9a47acff86107e9194 |
| SHA512 | 128e142bed5d7a017ab19c4ebfff4b48f3c75743a991d3191a7548119b85626755be7948f9fcc0aa2a5f3e8405734d89ae6b922bed02ab8f8b98cbab380870c6 |
C:\Users\Admin\AppData\Local\Temp\Respective
| MD5 | 89db0ea36d6a1b7cc7008f6b3bd80fb3 |
| SHA1 | 1184f9eb79da240232cae2b6ecf4fe077ea4e2fe |
| SHA256 | 5bf2d54d19a58bba4901b9bf21abb347a0e005a13a359ec0b37eb29b05e65b61 |
| SHA512 | 3dcd82ee21a6c090436d3d3fe6aaf8aa20a2ab4d805a9ae6d2c9079cff6af02595197ec0b416beac17f043b139dc07f3cc855627531b4d42cd4467f5b33b4401 |
C:\Users\Admin\AppData\Local\Temp\Parental
| MD5 | a157756c8e87c510713e9c17efb27fbc |
| SHA1 | 0a9542243bb9ddc301f7a065a7f768ec8eafc4bf |
| SHA256 | ad7adbfe91d887a3fcfa60e7ed0d8fd1edbc4f1a96f7d9e03bc8d34cb1d6d639 |
| SHA512 | ad23c3ba3e42e0bdf422b80acea5a12da19d21b17604317cdabfb5fa4fb37f2f4a6f7b6b82068fe9124bd989e5fa29c3703d4332c2ed59a9059da8521bc8fc62 |
C:\Users\Admin\AppData\Local\Temp\Yo
| MD5 | 0ccaf05144c9d2b1c1884df6e4c33582 |
| SHA1 | f4ae18e4c89b55827e7788ae62d0bbe485e86459 |
| SHA256 | e685cc6ccad134866f445b2b72e8d299ee594a24e862812f5ec5349a57a0aa75 |
| SHA512 | 6141ad17b1784b76d6ec5326b8461dd0448fd27f24c93df6ce149b3947c28ca43e8e01a9a8cd1c71244eea39b9711a896d2b13fed89b3e693aa7a43949ad51db |
C:\Users\Admin\AppData\Local\Temp\Distributors
| MD5 | 0a4057e2c17d502c9c2c338317072b5b |
| SHA1 | dbc45f658a9f3645a09ebff5e322d06eb3edd029 |
| SHA256 | 1361c77d0663b8e7d31a8cd6eadfd3a67298894e5dd3c5431564d776f6ae3776 |
| SHA512 | 3c9a72693dd100a82f030b10ef227ab9339d532983a6dd11aae287fe61d7b6be24eb47e89cd928a895b112faeaf33b0b0c5c50f1300d8b4d32fdbcba18f8cc74 |
C:\Users\Admin\AppData\Local\Temp\Uh
| MD5 | 7ae9dd3c7faff58ef7ce855c6f98f4f9 |
| SHA1 | f5cf08349803c694b3028026027bc229dec1169a |
| SHA256 | 4eb08bb029a54194658012d08dc10779eaa642b6891f1b46033fcc70c226af81 |
| SHA512 | 5b6c2a2a7e0bd3ad0a2b1f6cad96cd2b4ab7c4523b7d8729e4f86f79b2d3c0da6dcdfe70dafc560498820b6d50115c8f0f8e8525d6ddf75ac3d971fb84189a9a |
C:\Users\Admin\AppData\Local\Temp\Licenses
| MD5 | b7b089bcfc9bfee097d6d3018480e382 |
| SHA1 | 58849a0e945d383c026970dd57d5ee905e75abff |
| SHA256 | c977ed8f489d1c8ced4c54965eaf93981d1ad0a7818f0dbee3a72ab0b4f0a4ff |
| SHA512 | 9e75cb1e6d0966a6d91fb436001412b3330a384e1fd120ff684a6cc3bad3df7dfc4081293be561e63a971b5647c7b782f13c363ff99dc3aafdaf3ec5193a54a0 |
C:\Users\Admin\AppData\Local\Temp\Worcester
| MD5 | 08a72f7db45d79af6db1591882411cb3 |
| SHA1 | 78085c1c1d999d52c8e14a2e56ca898ba5fe3e0e |
| SHA256 | dc839e2336da3148abe9c0ef8e46d0e50e5d1998c93e092bb98a1b40ccce5661 |
| SHA512 | c69ca4ee509ba82fac37f35f5eaaa70910a156a5d6b0171708a36905febd0bdc52dad5c0a0c7d2eb0afd3bd0ee96ee37730fc5bd54adefac63b7ac33b28d0108 |
C:\Users\Admin\AppData\Local\Temp\Greeting
| MD5 | 13562f71944c152df48f0808273297e1 |
| SHA1 | be792d884d750acd9097a4d9f11aabbd18b6a1c3 |
| SHA256 | b3f4532bd291ea278b2f820f177aacf1eabae520cb1c9fb64748684586d2daa3 |
| SHA512 | 3972390d23d36e30bc05749cd4f1c75046f7810dab4de9a8476dcba6475b328b693cb9fd0922552087250b798242f9025922d51a6420c83dd470f760ea876854 |
C:\Users\Admin\AppData\Local\Temp\Producing
| MD5 | bf95efbdd9c0ca9b57a4eb07704394ce |
| SHA1 | 3c7270cc9daf019113bffb87241613b5468931c8 |
| SHA256 | 6a807295d6095f092b699189e70df4beb466baee63bc18bb4a600af838eef890 |
| SHA512 | 64f71613c59bf21a891d8229e8342155bf5d0c24fb6209eb23161c6d5df10f600e480f0f3588e3ede9af6323fe560b2a2eb4267e079f2d4eb57b911fdb4ef0fc |
C:\Users\Admin\AppData\Local\Temp\Expect
| MD5 | 9cdaf56324d435a752925219335ad2cb |
| SHA1 | 32001407ec54b003e3e5b232b60f69b69dea6ade |
| SHA256 | d248e1446fa011d3dce6b387fbf6e0291eb955772bd0505bcdf1b770b112722f |
| SHA512 | 117dc6157db4d989c37b8fffcb946a25f859cfb057b5749df12753d5f93ae17bbdeee2ce744ba39ac986bf244202b0e8867aa5d54eb5aaca69aa5d833cf81d7e |
C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\277186\t
| MD5 | 811b9e1a1e01f54890f93c8f54a2a401 |
| SHA1 | 6316c94c40ab69de5a036f8cb2e7339f69d53aff |
| SHA256 | d3ed28f8695559990b5dee4c24de3b7df9667bb724c136bc75f655ee13d7d929 |
| SHA512 | 2d8a263eb134b0fa6db3e06b696da0df7de6e435472a4f2c32a8146d8568fcf730b36088d7645bb16d44b87384687a78b2b07c45af3490246c09338cff79d494 |
\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2704-75-0x0000000000090000-0x0000000000110000-memory.dmp
memory/2704-78-0x0000000000090000-0x0000000000110000-memory.dmp
memory/2704-77-0x0000000000090000-0x0000000000110000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 00:53
Reported
2024-07-29 00:56
Platform
win10v2004-20240709-en
Max time kernel
75s
Max time network
88s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4672 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | C:\Windows\Explorer.EXE |
| PID 4672 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | C:\Windows\Explorer.EXE |
| PID 4672 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\RegisteredAsking | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\IllustrationsNhl | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\CyberTomorrow | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\GardenAngola | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\ColourTribes | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\KevinShoppercom | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\TeensCore | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\ModelingFramed | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| File opened for modification | C:\Windows\NamesGuards | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe
"C:\Users\Admin\AppData\Local\Temp\Executor\Orbit.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Band Band.cmd & Band.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 277186
C:\Windows\SysWOW64\findstr.exe
findstr /V "inquiriesrowsforthcurrency" Cheapest
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Distributors + Expect + Producing + Greeting + Worcester + Licenses + Uh 277186\t
C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
Russia.pif t
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joMZLtjGsayRoxaCdkjXEahqO.joMZLtjGsayRoxaCdkjXEahqO | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CH | 185.196.9.6:43164 | tcp | |
| US | 8.8.8.8:53 | 6.9.196.185.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Band
| MD5 | 41f773e4635bf0ce3f6fd2e5e138b759 |
| SHA1 | ed2b04eb29390f90358bc552046c1bb8153c628d |
| SHA256 | 0dc4df658a22390fce5917fc2ea1068b9a627feae34993dbcfc87b253e0ac636 |
| SHA512 | 96342ba3aa3aa7555ffcec2b959b65fdfdc9e0310e3e9b474f970c7419ed2cea27e1295c66d33d1d4f7704097d4d6334d4655765878f03ebd65e2672a6de0150 |
C:\Users\Admin\AppData\Local\Temp\Cheapest
| MD5 | e1ba7d84a25094a6ef733f86f482d1e5 |
| SHA1 | 4b39e7264dc4eeec28f6c70461bfcd547215b315 |
| SHA256 | 7a026e03662f42ecb2fad9cc17f851954f8e4c40ca06331b20e56d5f294ad632 |
| SHA512 | ae623800b5c7e6d9d060e9584666fb7c3b752c529e3084434f8ce603590df592a8233300d3b1e0450e92d63a30258eef6a45d0ee700b2d2d35ef22f22ab6a63d |
C:\Users\Admin\AppData\Local\Temp\Examinations
| MD5 | 3b8e6513b6e5b2cd7becd7b27ed16c77 |
| SHA1 | d65b57ffeae5ff3b3334ae738d5588dbf6bfaa6b |
| SHA256 | f99f91bae0a1bd6427573fa22dea077fa39d4c2bbbf527fb6da4dbe3941ef1c9 |
| SHA512 | 662d4ed978bcbd1614e23df6da10427d66763ff77a12a9d03da38afaf2a301d9a6feeeaa2fb2eb09be96b243435588c14a091c6cee35594f6d25c3dc2e2b26da |
C:\Users\Admin\AppData\Local\Temp\Tub
| MD5 | 55993dda77a793354db8374405db6fad |
| SHA1 | 8fd25d794dbf3afbab2024bf4c4482d32548ee30 |
| SHA256 | e465d7e75246179a247cb2232cbd642fefa726ad6aeb1c3b01173d484570c58c |
| SHA512 | 512a89564c38e1dcff703a9a159c83f8d48904a36561414e0c6757625948d53f65de44569dba27cdbdec6831960794fd4282efae2b2262e7b897179782795e1d |
C:\Users\Admin\AppData\Local\Temp\Tide
| MD5 | fa18382a5b8b5e946d1d0c600cb35071 |
| SHA1 | 0a70a514f5dafc94508277f44c9e83df90de77b7 |
| SHA256 | 4d8f1b053d0d6bfbe4d1f969c15c7b103e6495aff4a3110fcdd90f790edbc266 |
| SHA512 | 0ac5cb9394b14b77e7d907b53da78aacbbe9a35f36505f2e3fd6ffc835f8b3539a4da0c7c20dc4ac1e6a1fa9d4f8ec432e08c03db6b0509e9ee92ad881fc1d57 |
C:\Users\Admin\AppData\Local\Temp\Pearl
| MD5 | 8c00280bb9b25e3007133e6f62005205 |
| SHA1 | b7a977d65ffe9ee788a29e0c5d95f26c53267d50 |
| SHA256 | abf66598def79aaa718725b30a78e593d6cf0b25f1bec1df2d297be801433f43 |
| SHA512 | 7110dfdb4a2ff3a82e90c722c6b5241b8d6f3e738ef28d7659935704019d93780c34bfb0552f031015db0c4f3b4cfbb216a0dca4c608083b02cd9e9b57efd487 |
C:\Users\Admin\AppData\Local\Temp\Respective
| MD5 | 89db0ea36d6a1b7cc7008f6b3bd80fb3 |
| SHA1 | 1184f9eb79da240232cae2b6ecf4fe077ea4e2fe |
| SHA256 | 5bf2d54d19a58bba4901b9bf21abb347a0e005a13a359ec0b37eb29b05e65b61 |
| SHA512 | 3dcd82ee21a6c090436d3d3fe6aaf8aa20a2ab4d805a9ae6d2c9079cff6af02595197ec0b416beac17f043b139dc07f3cc855627531b4d42cd4467f5b33b4401 |
C:\Users\Admin\AppData\Local\Temp\Little
| MD5 | 1e98b8c12d48485237cbdfc0fcdc00f2 |
| SHA1 | d8064ba01307b8530bd68a37977f711f62d1c3e4 |
| SHA256 | 13e883986800c429bb52c4dbdf53e72a23f889e87ded6c328aae9855285d16a6 |
| SHA512 | b6994f2052daefc9a02d6728ff3ca36eda5e5007e76b75e703f4e4cb8e644c8913593818b4737e6f7d6011cd38eb371339558447d35a039d144ce38e96263a53 |
C:\Users\Admin\AppData\Local\Temp\Pre
| MD5 | deacdede30078b3e2f2910d87f43cb65 |
| SHA1 | 66c0c0e21f0f292e000f077a8e1cafd11fb68f1c |
| SHA256 | 6344a72432361f7d8f059a70f58f1d1b2877690dbbc8dd9a47acff86107e9194 |
| SHA512 | 128e142bed5d7a017ab19c4ebfff4b48f3c75743a991d3191a7548119b85626755be7948f9fcc0aa2a5f3e8405734d89ae6b922bed02ab8f8b98cbab380870c6 |
C:\Users\Admin\AppData\Local\Temp\Discussed
| MD5 | 6326c7058eba779b4b6eb8a348b03913 |
| SHA1 | fff66c93e6f86f7c141c843b8fa736ee2b8864be |
| SHA256 | 53a6fe3ca28fd090c40663038239b79572b8fc2db242800f8771c195ead550ee |
| SHA512 | e0df89db891907f00e79caac37598d6931459d61a0b6243e153f2a594e12c895c81ec0a9a4d32655fb2fb7c40ea4f09ee12ac920807de60d8b8657883b890fd0 |
C:\Users\Admin\AppData\Local\Temp\Pee
| MD5 | 474b74537d1139558f175cbc0b8fe12d |
| SHA1 | f1017b76223c66cb35a3695c397eb80bebdf6962 |
| SHA256 | 05872c123e498b1c41147606d7329889ec7a8b72002e3c7549990ef193643cc2 |
| SHA512 | 78249c45931c4b190d8d4106bdf615dd724b937f8de777fe9c8be21febd056a62e58a9f6531c5167d92ba357e5baabda7e4dde5e5bb4e72be492db9bd27b749c |
C:\Users\Admin\AppData\Local\Temp\Beaches
| MD5 | caaed32ada79377aa884be3005d6600e |
| SHA1 | 16a2e4f6b84f63301304cca754b258e4fdee8951 |
| SHA256 | f89adaef9ff363466c38bc5a4b2abdef9b98fe0f6d1e62269ddadf96f9f2765c |
| SHA512 | 19d9990dc8fede7c9390cde7a10c08ed6a59e856ad99dd160cd346dfdae13023ea0ea245f102fab1b20f7a74cbb69a0b1dcf8f3948dfab81383bed3e39d1d03b |
C:\Users\Admin\AppData\Local\Temp\Parental
| MD5 | a157756c8e87c510713e9c17efb27fbc |
| SHA1 | 0a9542243bb9ddc301f7a065a7f768ec8eafc4bf |
| SHA256 | ad7adbfe91d887a3fcfa60e7ed0d8fd1edbc4f1a96f7d9e03bc8d34cb1d6d639 |
| SHA512 | ad23c3ba3e42e0bdf422b80acea5a12da19d21b17604317cdabfb5fa4fb37f2f4a6f7b6b82068fe9124bd989e5fa29c3703d4332c2ed59a9059da8521bc8fc62 |
C:\Users\Admin\AppData\Local\Temp\Gothic
| MD5 | d553f3226cea122836c6e7f55445eb22 |
| SHA1 | 8081faf63feb587a26a021c6bd1665d9bc22ed1c |
| SHA256 | fd15e7f437745ba5c472eed35cfa3fd7314a83aa27ba63ecc6a994677927f12b |
| SHA512 | 42b9464a7671a5b5c1cfbe17c7cabe4325bd79b30ede843099d5213fb4e4c7a695bb1ab84cd4eedeed9c316b8eb60fcb9f474dd02cbadbc3ea001e45f3119ab8 |
C:\Users\Admin\AppData\Local\Temp\Yo
| MD5 | 0ccaf05144c9d2b1c1884df6e4c33582 |
| SHA1 | f4ae18e4c89b55827e7788ae62d0bbe485e86459 |
| SHA256 | e685cc6ccad134866f445b2b72e8d299ee594a24e862812f5ec5349a57a0aa75 |
| SHA512 | 6141ad17b1784b76d6ec5326b8461dd0448fd27f24c93df6ce149b3947c28ca43e8e01a9a8cd1c71244eea39b9711a896d2b13fed89b3e693aa7a43949ad51db |
C:\Users\Admin\AppData\Local\Temp\Viewed
| MD5 | 3a7f0541fd966d88a1300ce0fda8f24e |
| SHA1 | 5613d91936520f8db8a4f10e0b9915074820550d |
| SHA256 | b50b93e11747246151018a73c9f0a42d7e0e518395a13a44c2caeccec430844e |
| SHA512 | e6a099530a096e8730e8329b512823575fcda5104e3a3fe888ab249c2f47fd45c86608fc792b23ebfc22fba405cffaba4546eb612651ef913dafdb1b8b035a87 |
C:\Users\Admin\AppData\Local\Temp\Shit
| MD5 | 3aae61bde5dd4835ff9fba8aea495965 |
| SHA1 | d8c923819e516dc86281d997620ee59071b00e27 |
| SHA256 | 8bc6c5df3491dbfe7108d08bdc752e7b18a544543d38eeb2246ed31ae997f51b |
| SHA512 | b62b4bcf535612d759a76751d08ec50043f5609b9bc4e603acfd04fa0f1a2adc0dd05ebd451ad0aaf5321ba10a35622ca0299d8a5600522ca748bd3a5eb55e1f |
C:\Users\Admin\AppData\Local\Temp\Lower
| MD5 | 3595ee41f02f71d851030a1c40aeb7aa |
| SHA1 | b6a6830d02184edeff215e20c46d68105498d712 |
| SHA256 | 9cb894e8cf8f939bef7a31d9754f775983359df60b66c48112561915fe258dbf |
| SHA512 | d26d7c156fe9d59ebeac8542793dfbff7fc38d7b6fb6e88582469290a967ad8fe7a629e370298944d42ca36f2fa09ef5e803de2d015ab35334fca7246e3fe86a |
C:\Users\Admin\AppData\Local\Temp\Tab
| MD5 | 537a42de978494e1e949a41b487a859b |
| SHA1 | 5ddab4613eac4b33f2a4d84e8e8e034158d12d0e |
| SHA256 | 53050ebafb44ca64ecd5c34904d8d94941b85a0d9acb7b5b3a6ad6e8d6e18a2d |
| SHA512 | 4ea03d81d2e2000f4f41c34e383fe5e9d5ae97470954cd56f82fd605fc40429629cb2e681ad6524d82ca6ca142b46511dfaa246860daa45a68355a229ad27b58 |
C:\Users\Admin\AppData\Local\Temp\Molecules
| MD5 | dee8a55e2c4255bb37bd36c5ba3a3d9d |
| SHA1 | faf5a27117148b2037e7631d10c5330096feab38 |
| SHA256 | 1b7ae5b953166682aa8b65830993ccd8d009384b86af661a97dcfd499102d4c2 |
| SHA512 | cf5022a864bfd552fa44ef87591fd3ff91ce494acd243094b2f4149da403ad919dfd68ef32b0d280500e83ef1fd32261eea58314df8e29228e4f141af7082b81 |
C:\Users\Admin\AppData\Local\Temp\Buses
| MD5 | 4c08af32dc197d6587921648ace5bd94 |
| SHA1 | facfe515a0f6b46d1780c0ce4007e9fd7a513189 |
| SHA256 | acb3737d4421fd26f7032b9e450e7cf3857c460e5e9a85a31117653e5c03720c |
| SHA512 | a069e3c19b707526a61d91973bf603d76521b05909f6112910656b7ca08b2be4739c129de3a1f188489e03ebb0c1205feb9e8b6a8a9178241240aea42d3fba48 |
C:\Users\Admin\AppData\Local\Temp\Generic
| MD5 | 9d62b5183d0608459fc6c0d5bb8b9925 |
| SHA1 | 516cfa2395a86fdbc4a5ca811f1d0e9de86d3012 |
| SHA256 | 43eb4c0e6f38f9de42b757118100a43a29d93c9b1c451018ad85b777c954b0b3 |
| SHA512 | 0acebfd86ee08b36d7e4d8860c15c75740ce027581434629a248141a2cbc29a794c3af565f550112d2ff14514ee330ebb85a1ae28ff08cb1f11f6e00da604b4a |
C:\Users\Admin\AppData\Local\Temp\Message
| MD5 | 62617e5d353f09661bc05014d9aa8901 |
| SHA1 | b3c72a0ec8b30784bd8442b86fdadd8f4c4dbf4f |
| SHA256 | 518263f7647d3f8fcc84371b94ad5ab718f0f428ce34918d979c5271b06ed1e7 |
| SHA512 | bda57f2efb7fe089b5af4c53c1af0623becae7f3a5c986050d8837a6f3386e1174847a429356feac407ea0f197da214687964f4c233c073282f70822c4df01cc |
C:\Users\Admin\AppData\Local\Temp\Violin
| MD5 | d8a8aa7ceca6a826e83be6a8b7139369 |
| SHA1 | debde6e226b8e60172cddcba04214c3c19a0172f |
| SHA256 | f4bf6099730715aaac83cd94866ee3e5550f9439d06de50a13c503ca432ce17d |
| SHA512 | 7ab23b333c711e78c5ecc3a568b150ca0bc59d699f9d0bdff3c56bd7451338df6f143721385b5587fa76b1e71b476c3bf1da492009afe2c0f85820147518d95c |
C:\Users\Admin\AppData\Local\Temp\Distributors
| MD5 | 0a4057e2c17d502c9c2c338317072b5b |
| SHA1 | dbc45f658a9f3645a09ebff5e322d06eb3edd029 |
| SHA256 | 1361c77d0663b8e7d31a8cd6eadfd3a67298894e5dd3c5431564d776f6ae3776 |
| SHA512 | 3c9a72693dd100a82f030b10ef227ab9339d532983a6dd11aae287fe61d7b6be24eb47e89cd928a895b112faeaf33b0b0c5c50f1300d8b4d32fdbcba18f8cc74 |
C:\Users\Admin\AppData\Local\Temp\Greeting
| MD5 | 13562f71944c152df48f0808273297e1 |
| SHA1 | be792d884d750acd9097a4d9f11aabbd18b6a1c3 |
| SHA256 | b3f4532bd291ea278b2f820f177aacf1eabae520cb1c9fb64748684586d2daa3 |
| SHA512 | 3972390d23d36e30bc05749cd4f1c75046f7810dab4de9a8476dcba6475b328b693cb9fd0922552087250b798242f9025922d51a6420c83dd470f760ea876854 |
C:\Users\Admin\AppData\Local\Temp\Producing
| MD5 | bf95efbdd9c0ca9b57a4eb07704394ce |
| SHA1 | 3c7270cc9daf019113bffb87241613b5468931c8 |
| SHA256 | 6a807295d6095f092b699189e70df4beb466baee63bc18bb4a600af838eef890 |
| SHA512 | 64f71613c59bf21a891d8229e8342155bf5d0c24fb6209eb23161c6d5df10f600e480f0f3588e3ede9af6323fe560b2a2eb4267e079f2d4eb57b911fdb4ef0fc |
C:\Users\Admin\AppData\Local\Temp\Expect
| MD5 | 9cdaf56324d435a752925219335ad2cb |
| SHA1 | 32001407ec54b003e3e5b232b60f69b69dea6ade |
| SHA256 | d248e1446fa011d3dce6b387fbf6e0291eb955772bd0505bcdf1b770b112722f |
| SHA512 | 117dc6157db4d989c37b8fffcb946a25f859cfb057b5749df12753d5f93ae17bbdeee2ce744ba39ac986bf244202b0e8867aa5d54eb5aaca69aa5d833cf81d7e |
C:\Users\Admin\AppData\Local\Temp\Uh
| MD5 | 7ae9dd3c7faff58ef7ce855c6f98f4f9 |
| SHA1 | f5cf08349803c694b3028026027bc229dec1169a |
| SHA256 | 4eb08bb029a54194658012d08dc10779eaa642b6891f1b46033fcc70c226af81 |
| SHA512 | 5b6c2a2a7e0bd3ad0a2b1f6cad96cd2b4ab7c4523b7d8729e4f86f79b2d3c0da6dcdfe70dafc560498820b6d50115c8f0f8e8525d6ddf75ac3d971fb84189a9a |
C:\Users\Admin\AppData\Local\Temp\Licenses
| MD5 | b7b089bcfc9bfee097d6d3018480e382 |
| SHA1 | 58849a0e945d383c026970dd57d5ee905e75abff |
| SHA256 | c977ed8f489d1c8ced4c54965eaf93981d1ad0a7818f0dbee3a72ab0b4f0a4ff |
| SHA512 | 9e75cb1e6d0966a6d91fb436001412b3330a384e1fd120ff684a6cc3bad3df7dfc4081293be561e63a971b5647c7b782f13c363ff99dc3aafdaf3ec5193a54a0 |
C:\Users\Admin\AppData\Local\Temp\Worcester
| MD5 | 08a72f7db45d79af6db1591882411cb3 |
| SHA1 | 78085c1c1d999d52c8e14a2e56ca898ba5fe3e0e |
| SHA256 | dc839e2336da3148abe9c0ef8e46d0e50e5d1998c93e092bb98a1b40ccce5661 |
| SHA512 | c69ca4ee509ba82fac37f35f5eaaa70910a156a5d6b0171708a36905febd0bdc52dad5c0a0c7d2eb0afd3bd0ee96ee37730fc5bd54adefac63b7ac33b28d0108 |
C:\Users\Admin\AppData\Local\Temp\277186\Russia.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\277186\t
| MD5 | 811b9e1a1e01f54890f93c8f54a2a401 |
| SHA1 | 6316c94c40ab69de5a036f8cb2e7339f69d53aff |
| SHA256 | d3ed28f8695559990b5dee4c24de3b7df9667bb724c136bc75f655ee13d7d929 |
| SHA512 | 2d8a263eb134b0fa6db3e06b696da0df7de6e435472a4f2c32a8146d8568fcf730b36088d7645bb16d44b87384687a78b2b07c45af3490246c09338cff79d494 |
C:\Users\Admin\AppData\Local\Temp\277186\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/4172-75-0x0000000000D20000-0x0000000000DA0000-memory.dmp
memory/4172-78-0x0000000005770000-0x0000000005D14000-memory.dmp
memory/4172-79-0x00000000052A0000-0x0000000005332000-memory.dmp
memory/4172-80-0x0000000005360000-0x000000000536A000-memory.dmp
memory/4172-81-0x0000000008980000-0x0000000008F98000-memory.dmp
memory/4172-82-0x0000000008500000-0x000000000860A000-memory.dmp
memory/4172-83-0x0000000008440000-0x0000000008452000-memory.dmp
memory/4172-84-0x00000000084A0000-0x00000000084DC000-memory.dmp
memory/4172-85-0x0000000008610000-0x000000000865C000-memory.dmp
memory/4172-88-0x0000000009330000-0x0000000009396000-memory.dmp
memory/4172-89-0x0000000009670000-0x00000000096E6000-memory.dmp
memory/4172-90-0x0000000009650000-0x000000000966E000-memory.dmp
memory/4172-91-0x000000000A1E0000-0x000000000A3A2000-memory.dmp
memory/4172-92-0x000000000A8E0000-0x000000000AE0C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-29 00:53
Reported
2024-07-29 00:57
Platform
win7-20240704-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.23" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\bin\\api.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1604 wrote to memory of 2356 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-29 00:53
Reported
2024-07-29 00:57
Platform
win10v2004-20240709-en
Max time kernel
143s
Max time network
159s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ = "ISimpleTextSelection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\bin\\api.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\bin\\api.dll\\2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 1688 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4704 wrote to memory of 1688 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4704 wrote to memory of 1688 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Executor\bin\api.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |