Analysis Overview
SHA256
2ac065c793348d8172895b7910d3b3c4a18f68abe57a7aa502a8c9c9311895a7
Threat Level: Likely benign
The file v11.3.0%20source%20code.zip was found to be: Likely benign.
Malicious Activity Summary
Checks CPU configuration
Reads CPU attributes
Changes its process name
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates kernel/hardware configuration
Browser Information Discovery
Reads runtime system information
Writes file to tmp directory
Command and Scripting Interpreter: JavaScript
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 19:11
Signatures
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240705-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\deploying\heroku.vbs"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\deploying\heroku.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240729-en
Max time kernel
15s
Max time network
18s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\examples\hubot-start.ps1
Network
Files
memory/2308-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp
memory/2308-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
memory/2308-6-0x0000000002810000-0x0000000002818000-memory.dmp
memory/2308-7-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp
memory/2308-8-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp
memory/2308-9-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp
memory/2308-10-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp
memory/2308-11-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
1s
Max time network
132s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | npm | /usr/bin/node | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/script/bootstrap
[/tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/local/sbin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/local/bin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/sbin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/bin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/sbin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/bin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/bin/npm
[npm install]
/usr/local/sbin/node
[node /usr/bin/npm install]
/usr/local/bin/node
[node /usr/bin/npm install]
/usr/sbin/node
[node /usr/bin/npm install]
/usr/bin/node
[node /usr/bin/npm install]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 84.17.50.8:443 | 1527653184.rsc.cdn77.org | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240704-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\bin\Hubot.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
debian9-mipsbe-20240611-en
Max time kernel
1s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/sh-thd.J8DEc6 | /tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh
[/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh]
/bin/mktemp
[mktemp -d]
/tmp/tmp.Baobb9jkWn/node_modules/.bin/hubot
[./node_modules/.bin/hubot --create .]
/bin/rm
[rm -rf /tmp/tmp.Baobb9jkWn]
Network
Files
/tmp/sh-thd.J8DEc6
| MD5 | 48f07dbfbb824c83d3306d4f73f70ff6 |
| SHA1 | 4d8354416bca1c45dc4316f066ccc6d78f576d3f |
| SHA256 | 6d30a66911fdf4caa92b0c2ad2b4621977cb02168422ffda4026a7a66aa4b09b |
| SHA512 | f95781735c4ed7feeb41a4b129ceff8a4fdcec678dba7d3e7e11b4abcc1ced6c7b03cfbdea721bdd26e619f1caf04103b8ed6cf0ddfe5154984ab105b0bd231b |
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/bin/hubot
[/tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240708-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\deploying\windows.ps1
Network
Files
memory/2252-4-0x000007FEF646E000-0x000007FEF646F000-memory.dmp
memory/2252-7-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2252-6-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2252-5-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2252-8-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2252-9-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2252-10-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2252-11-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2252-12-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:15
Platform
debian9-armhf-20240611-en
Max time kernel
12s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | npm | /usr/bin/node | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/node | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/node | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
| File opened for reading | /proc/sys/vm/overcommit_memory | /usr/bin/node | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/script/bootstrap
[/tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/local/sbin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/local/bin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/sbin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/bin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/sbin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/bin/bash
[bash /tmp/hubotio-hubot-b50c39c/script/bootstrap]
/usr/bin/npm
[npm install]
/usr/local/sbin/node
[node /usr/bin/npm install]
/usr/local/bin/node
[node /usr/bin/npm install]
/usr/sbin/node
[node /usr/bin/npm install]
/usr/bin/node
[node /usr/bin/npm install]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
debian9-armhf-20240729-en
Max time kernel
6s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/node | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/node | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/bin/hubot
[/tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\index.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa50b46f8,0x7fffa50b4708,0x7fffa50b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,11368026834127204328,5987138517943029692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2624 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2dc1a9f2f3f8c3cfe51bb29b078166c5 |
| SHA1 | eaf3c3dad3c8dc6f18dc3e055b415da78b704402 |
| SHA256 | dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa |
| SHA512 | 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25 |
\??\pipe\LOCAL\crashpad_1736_CSGLGQRMDQZBYQGA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e4f80e7950cbd3bb11257d2000cb885e |
| SHA1 | 10ac643904d539042d8f7aa4a312b13ec2106035 |
| SHA256 | 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124 |
| SHA512 | 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c477f4c7790e5000b420b261f3c17d01 |
| SHA1 | 9448dde68afca2f55635c599b4e48ffa500ace75 |
| SHA256 | 2654cc2c8014ee346d4d1e4649050f3645b80ea7dcf5bfdc4d3256d8b47ec8ec |
| SHA512 | 2477907a3eb855cb63f6daf61e3b498748cee2929d7e60346c3294eaa37917e1adf7d455537e825134c5d62d8df84b67ddb757d27c9fc1d2ca4ec6958706a54f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 811fa619404d71c75e9b101200411a89 |
| SHA1 | 48ac24c3f2ea3316d08e5fdf8c777bb4a0676204 |
| SHA256 | 96a6421c15be34a6261d15c6fa1d88978e11f3a77aa79cdd76a505f4f8e4a725 |
| SHA512 | 96183f9c43e7ee27f633f436b3ac0aa4c63bfd5fcc6b426bd37bd54eb9317eecb1dbb27d67f4c0fc179f525d1ca74e2db5e037a9c28b77fab7aeb5ba46281cd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d6c62ec16d1b47b0f8fd3a1d313bea10 |
| SHA1 | 13b23f07f5d4f0c1958473d4d7b79d1faabb49ca |
| SHA256 | 6d1a3dbf1718ced0a839eb02bc08256c8fa014b9c9b3e57ddb127c15f4d7e63f |
| SHA512 | bbc51a10e2728ca9130015eea9b785d883519a861c4f04e6cbc2328da80935782c484f8afa2934d9e256366a13170ecdca39c2e5dbc6a1c7b04bc4817a33883c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
1s
Max time network
134s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | npm | /usr/bin/node | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh
[/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh]
/bin/mktemp
[mktemp -d]
/usr/bin/npm
[npm init -y]
/usr/local/sbin/node
[node /usr/bin/npm init -y]
/usr/local/bin/node
[node /usr/bin/npm init -y]
/usr/sbin/node
[node /usr/bin/npm init -y]
/usr/bin/node
[node /usr/bin/npm init -y]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.129.91:443 | tcp | |
| GB | 89.187.167.8:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.1.91:443 | ocp-ingress.fastly.gnome.org | tcp |
| US | 1.1.1.1:53 | odrs.gnome.org | udp |
| US | 1.1.1.1:53 | odrs.gnome.org | udp |
| GB | 89.187.167.38:443 | odrs.gnome.org | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
debian9-armhf-20240729-en
Max time kernel
12s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | npm | /usr/bin/node | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/node | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/node | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
| File opened for reading | /proc/sys/vm/overcommit_memory | /usr/bin/node | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh
[/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh]
/bin/mktemp
[mktemp -d]
/usr/bin/npm
[npm init -y]
/usr/local/sbin/node
[node /usr/bin/npm init -y]
/usr/local/bin/node
[node /usr/bin/npm init -y]
/usr/sbin/node
[node /usr/bin/npm init -y]
/usr/bin/node
[node /usr/bin/npm init -y]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
debian9-mipsbe-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/hubotio-hubot-b50c39c/bin/hubot
[/tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240708-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\patterns.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\bin\Hubot.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
84s
Max time network
142s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\deploying\windows.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4608-0-0x00007FF96D763000-0x00007FF96D765000-memory.dmp
memory/4608-10-0x00000213C1410000-0x00000213C1432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqyg3c5y.4zc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4608-11-0x00007FF96D760000-0x00007FF96E221000-memory.dmp
memory/4608-12-0x00007FF96D760000-0x00007FF96E221000-memory.dmp
memory/4608-15-0x00007FF96D760000-0x00007FF96E221000-memory.dmp
memory/4608-16-0x00007FF96D760000-0x00007FF96E221000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240705-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431293379" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0E1CB11-67CC-11EF-8CC6-7ED57E6FAC85} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf71000000000200000000001066000000010000200000004c61cc8ed010c7dccfddf271b1d8eb2d6f9886c4b8c2c903427ee150e1564b7b000000000e80000000020000200000004de66c3f6b11ad875e8b166f753932cba7fa3df19791949475a3befa1d1ec85c90000000a658ea2a66e9b3e9e035c53e687e3c0d963e3ed07f92282e2e0c3e37d6baf43b461baffe7e6dc2896096faff5e314028bacdf1f6fb9da655c06efa6fc85c00c9c392263d964893b39335371be05d406330d9e99e92af98131cc689595240cb77ee07d834556894793df795b506996e07816a5a48d6cc1dd6fa1615621faf241a3ed29faadd2144f5397d60c21e945e6a40000000c927314642bf5558de0c23b53a7a0621a694e4846e2c60013ebd4c1ef5a451031b808a847333ccc554bd6d935df3addcdeebb4208cb3e6221134f5aa9c1ca10e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000aefbdc3f940cfa05cf6c325a7e937da45480e74fc5f6286a9dc1bd91d25ce079000000000e80000000020000200000006ac5747bcb19ffc220b85a7467f9d02ab89871001154c8321d1158994e01cd8d2000000051381e3b815b3e6c79f61385f28033f4d04fea8160a01b8ffb5d91b6cd808d7440000000fcbd1ea9a2926a13876f5fe797f07d56829206ee301d436b88759d813a70cbb2779a3b246d5d340a5373d8e51b509ef78a8fb2f1f24d24c31d7bbd9a1983406c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a45fb5d9fbda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 1696 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2404 wrote to memory of 1696 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2404 wrote to memory of 1696 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2404 wrote to memory of 1696 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\layouts\main.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD940.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDA00.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 610e77967976a61d9b778caf2a0600af |
| SHA1 | 69b619f05a32383c77960245e92d56302d207ff7 |
| SHA256 | 5372e4bb18cbbca9c2112fb19ac3954ca292284570146b8f8ee232ba497ca205 |
| SHA512 | d74befcdbfeecdfcfdbd72c701bb1e2d78dbef5c553f0f490c856854b60f2d40fb08f75b97ecce81fd3e1e87cc3dd82397aabbfe4d074bb8be3203250595980e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9e685dbdf71d7f6a718db39aaf0ad63 |
| SHA1 | 879bf0836c4e02712cba1f755889c2593fe3e22d |
| SHA256 | c71511a8cf7cdc2457cd1022b275536ad78d4ebde21742d528f1c19c6a09184f |
| SHA512 | e0c81628afc32076d0989b748843680e13f1d0e7c9b222317504e94f9b89fc83bb3ca0e436761a348ef8b43141e472aeb1f1db5c41a7a2f82d5b044707ac6429 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f421ada8c222f67262d46d6a5fa288c |
| SHA1 | 0437fefe5af7f817ab1de6553b2d446f86293aa9 |
| SHA256 | 189fa262185b1d361fe1be5177b1bc7a36de7b93641b3e9ed68d481f9bda9424 |
| SHA512 | 6c282314a7c7a77409a20f67f3e536dba54f2b0eb954c60f70e614d4d57832980c1bf8c3d632dc33ed6a35d620be5af3528d80b8c0819da817215c909c2b6467 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c76f27b5d2f512657291fb2ea6b579f |
| SHA1 | 9c1e340aa1d879cab4a5ac72a78ca15f3ce8e187 |
| SHA256 | 0fa0b98348b21f7a3500065691fffe2f0af3d1e1c03120aef0643963d4816590 |
| SHA512 | 1534ad595c283080eefe6791ce6f105367d86f0fdf9a96ae3f6530549d7e8bd6146083f698ae19768698fb292d53902b9f6efddf6ef85bc830373cc22ed19cee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae1e8d1b5f2b31897fc5260203520662 |
| SHA1 | 4814d08b2f684960a7e4ca2443eb975c076c7723 |
| SHA256 | 22138f34a707c7784056866ccaa4640a4444bbffb94bdf6cc5bcbe3c7a357431 |
| SHA512 | 9fb7b3599a906a4016d09f88803f54b4aaa1649296bf1aba4c0268cd9ac77ae9f01dde54bb31f3309b037dbd9c9b526771ce88dd93409b1a2745d8d570c951fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3777be99bf451d4d5081d0c40b652bec |
| SHA1 | 9c31f7b60d5ee323b6420e9043119b6b8b4cbd95 |
| SHA256 | 9598d92b56b0b7b18f378fbe926d7da8109dcc91f474f78710c6c2280ad300df |
| SHA512 | 69db662bd28044f700e6de012446b10d46e40872cab76b9d0df96358ce1e77a94f5bcebe6d93bb048dd583126298ef951e05deb1b81a50f0fb6c99d78229aa86 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 03e25d14c364bbfe634b5ad7c0590949 |
| SHA1 | 3e51bb180366b3367e6b41aa414b68424ca1de46 |
| SHA256 | 807380e38051a254f94c85db1019ebe523dbd5bf715db299f52ee4f79c17b93f |
| SHA512 | 61d8109cfddb10e48de35ef01067a9edb1ab98e562801995616a26fd0772a7d2dddc6bd75f63b7c1a0cdf1a7f3e2f1f7103c453b044281b0bf2f94e6ec6ffd91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57deebe5e535cb0963911ddcbccbf466 |
| SHA1 | 9ec8fb4d701ede226e867ee23b476edb5b42c643 |
| SHA256 | f0124327f5f8ccdc5376b339d74a23a9bac3ac87207e3354ccf65c8e1802ce54 |
| SHA512 | fd3884fec88df19f20b5fd1e647a5b6e12c8f57a11f79db5a204b65fc16f03e919a028f16b5a82943dc92871bdb9f74050f77d5e8892f0de55923ddf959209d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 674ce560f281d67b452c4bbf1491195b |
| SHA1 | 6cc5a9273030f56355ea0ff9cb223c9b0fdaa5c0 |
| SHA256 | aee8a6bd9e816ffab45e88297f5baa1b321ae0ba74edeea5456c61597d10d177 |
| SHA512 | fc7d3c2e0e2ebe38b99948bd42e24736220fa2d8f8a5c951ab74a3ef91c460d20d4bb534fda0e97798628ce1dbaa22c7e76d125a85266338a6f10eb17c11b9f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd6f67e50427113718089b26549c5c5b |
| SHA1 | f09eb07bc99d075ac4db64d641e04910d7d9cb2b |
| SHA256 | 91163e07daa71ab90e3f9895aaecf4ea4b3a27d2544f4a51aa08dc07d25e1df9 |
| SHA512 | 9ecb617a5d116c8a9065cd82c682d5010884a9575c31d5861e0ebac196bbe762aaa258de217aa17ed5020bdee0db5abd3f0d3de5e4d4cf23aeee72ff2d2ebfc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19fa7b11487f303745d7679df3d9f26b |
| SHA1 | ece4ae6bb0a0825c4058c9e660f787e1cd9b0e18 |
| SHA256 | 1651c6adb9b9d3100c4b7cd8f73de6b7503e055b435cb9f7b86b343b7234eb66 |
| SHA512 | c9837a546aff7b6009c7f09c6873398844f2f9f10b6b1d27e53ad449b03041aaff04fe20df4d138e452e0e90a34ec48edcf6dc726901dafb87f5b91995567624 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edbc2acaf049212a0c4f472726902f50 |
| SHA1 | 019474f7a68ed54f8e0e358ec77a3d24765119fe |
| SHA256 | 2d7bc2f1563f5b55b88470c962d646c90b454f3cfc37954a2d5f6d09266d49fe |
| SHA512 | 703817e3b139c4854b839877f4be9fe0128c18cb53554da8dfaaa63fc9610e025519c67967387dd06114ee05379fa1f802f2c5aaa7dea957b5ca01cbdf1143e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07d3c1e13f676a5bba036e328ac5bb14 |
| SHA1 | eecc70b68bd04c6b2afd0081ebf09ad84d6e891a |
| SHA256 | 8ba2dbeca747b1125c35e7d17c131b22d6ec70382ccf6320adb5c538240be9be |
| SHA512 | 742aad6ede06cf3f701148c34445447eb16aa375b37a7824c52ac14ef696c683128cce39bf557e8a02c30e5feb59c2f656d2e89542ae07d0ebd6869bcd00044e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2ad29b43d30ed526e20d05c417b908f |
| SHA1 | 14a4a42af48acc10083d8e07bfd3171c6593b203 |
| SHA256 | 6a349483afd3a6f5e2b2a437d864a2d0fc070c85244534d7a66f251a11e10201 |
| SHA512 | 9654e326b16a2649d17c0fcac82e0164ac6bbb11e88c997b0bd33a125f29edc5b1edc08b41e73358eacea79bd3e771b78a20346256193e063fd313218c0cac76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a70ad702fb6b7236a8f02b1f4d396384 |
| SHA1 | d6d2ac26a7eec8387d077c754d7011eae7af6049 |
| SHA256 | e5cfe00b3a936839785bf36a14dfff56f33c4ed9a1dddbeabfa7ed56b77bd4ac |
| SHA512 | 920edbc97c571df2777df88531504ad6600f0587b9bd7bddcae4584bd7a334296ec0b7c4994f35776a5ebe0302a8043a1102043f55f0276d2cd1a753d0a18789 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf2099d013139cc796254c5c73ed11fb |
| SHA1 | 910b28693d15b4c45000b5869c0ef6c8628f10b0 |
| SHA256 | 6f387946abf81c559e2afa45a76ce5d7a6ca2163ddc462860315fffc4df0a999 |
| SHA512 | 62f9f08e5886501cbcd650f9ee0152ee5761ed19b169021e05e03af6bc02a8aed94e2611b6fc68b22bf489990a7b34fc4289d7f112755ea20adf51e81befb74e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dae4beb17e617ae515c41f595e200f68 |
| SHA1 | 00d649b9b84af0dfd999122dc3f170b4c724570a |
| SHA256 | 4d1b89bab2381badd425995f64f5a5cd580df5891a620d6c843aa2a903d71d2d |
| SHA512 | 157b970dff5ed0a6f8cf67c915e73be9054c081fd5356896328ef1aa52b2f82a4faa33439a6d1779023fc43ce2af135e1659728bdd248c9c1363de22d81fdc50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38ae4aca4f857833cd798918b8614f01 |
| SHA1 | 2961af79af66850fde3894a2005ff0d46627ff8d |
| SHA256 | 13927bbaf80ee96712fc335624798ed0d61c919e8097f9634328d765a55a2337 |
| SHA512 | 22829366f0df9f2c494b4e4fac32be9a27df8600a77c4be8bcf2fe72bec400762671d75bd833f8ace3302b79aa1a8d972178983fe36854010360b65e2e916ebf |
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\scripting.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
debian9-mipsel-20240418-en
Max time kernel
1s
Command Line
Signatures
Processes
/tmp/hubotio-hubot-b50c39c/bin/hubot
[/tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/local/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/usr/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/sbin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
/bin/node
[node /tmp/hubotio-hubot-b50c39c/bin/hubot]
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240705-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\adapters\campfire.vbs"
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\adapters\campfire.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240729-en
Max time kernel
16s
Max time network
20s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\deploying\azure.ps1
Network
Files
memory/2536-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp
memory/2536-5-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/2536-6-0x0000000001F00000-0x0000000001F08000-memory.dmp
memory/2536-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2536-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2536-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2536-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240729-en
Max time kernel
134s
Max time network
131s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E184A291-67CC-11EF-BC1B-C6FE053A976A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909206b6d9fbda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000371181fc323dbaf1cd93958168985a9a3d4291c4e9e89e85a55dd655531ae822000000000e8000000002000020000000fad141f1b0fb45a45971fd6ecedebf393f922ad1a78767b326f3f990d0c601012000000063c16115f02e7914de972737a7242b7ed3fbcb9954856eacdef3bbfd0af8e13140000000b010bbb649ccbd7508ac0bb535b58fac7865ad60e34188cdcf8e46eac75481359dcac91a24e8b0a31c09735b7d9b783fbf10777f8c11c3db86b2288e162a8c9d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c92000000000200000000001066000000010000200000001a2f4d0ce93be948395ec4d0e0e453374b966466f95ecca842f0aed0306e208c000000000e80000000020000200000004666e0e486763a4c326b43e3d27ddeeab33d9fdfb8d4ffe9d3b0ff228f210151900000004c134d68242702772199e700dcb1d2e5e3e7f260ce9e421ac0b7004afdbac22d82ec53e5a6710f9b9b498545256f8af91bf87673894a481438555eeafa9821e40776b27420117753601a9cb5a694aa3f3fbc07f23efc2fd4376434220fe3f7de9053f51a86f841dfb6e0322179659939294f9d291209aee9ba2c8a5b7ee159788697a636791a49fac99f15ffb08d9967400000002c2c7a4632b3423c73e37c606399389d3078604a31e6d2eb80d2903724bc3ca6c560185531cc49728232882f6f80488ac3b97fbd8a1f062123e7503d88d76418 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431293380" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2528 wrote to memory of 2016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2528 wrote to memory of 2016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2528 wrote to memory of 2016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2528 wrote to memory of 2016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\layouts\docs.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabE63D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE65F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85bda70720dae95c35ff44b96ee1f026 |
| SHA1 | f4ce0b446c95696acf8a816dd1acad4cd0fc21ca |
| SHA256 | e138497eb7129ec8269e0792759f527ad840f24a005bf5d704f4e882957cd397 |
| SHA512 | 5d2a0f320e71d411d6db8d5da06d66e6f801e63ba0470bc5be7e0a1b2e1a297dc49fde2fed10c89740d51c7bed786d16e632c17c3a33eec7a1cec1577c5b05dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 229072a09b01c07c3c8888e00a3861f8 |
| SHA1 | c48ef26d885867c700408c1855e0bbf75ebb7beb |
| SHA256 | 1e6a16226d000d4a5527eb52c7c8338087cf452819de534b94c5648cc0c4b4e5 |
| SHA512 | 9714a2d10d732b36c867db947da0b7b1ced84d5fc132aec4656a65bda409ca67e854a2229ba3f45cf6841f1c8f86e7d9476fc07030f6adee62fc3c77c88a70d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b1e77b945d36038f4f34aca03957191 |
| SHA1 | 65baf61cdc8f0cfd230e2fced3ce81c5d010adee |
| SHA256 | 5dfee9a80c6726915f86a52e174e3f721c2b9e346f0d7ab557aee54a1ce24093 |
| SHA512 | c28efec04852952602a9973675ea00708280bf5ba2ebace977285720a1e8e15ddd5d6346233815582c561cf13226227078ec5e295368acce5064e47cde6fdc5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5fd7145aa8596f448fa2f31fb9eef9b6 |
| SHA1 | b74a05866f957ef6db76a64d1dd0aa6b01070281 |
| SHA256 | 7d36be41e420e7f87a9401aca7cb024a76ca47012a9ae425cf1afd8e97084d94 |
| SHA512 | 44c468127e50c0cdd3850c114d40eca176a08230ecdc19f13e67709ff077502f93c6649f090bc634f5901f9d1bec04cb9d7623e51e616ef158ae35cd603e5b67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b998f9e59d1c99d8da227f88ed7ce7e |
| SHA1 | fa164bc58d64342705de020856f36a554385587b |
| SHA256 | cf6058765d68a7f316a4f88858656843a96519e99f84076a8e015715d7a6eab1 |
| SHA512 | 646ebe8530442fa6c800f594915c64b8310bb14babd377b6f22c1fec45d83416eaa7224e2f8c0a9c1fb2e67249f338d4ba75b6acbc04314d6825fb80168dbc14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f4719ace3da910ed5f3916fffaed6d1 |
| SHA1 | fa59e733ac395cdb10ab589027b018638b46e285 |
| SHA256 | b861abb3ba07a7b4ae5773a775d4971689d2ad11ee0fb1acdf48c0c37f103026 |
| SHA512 | 45664d53156ffbe37d318b173712801d8abfb0508d62a1740ba534f49219c5fcf5d798104c8a00ef101ce6e7d2b40be25b0b75467a27de6953ef0f4a19fbdd85 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 984ff9c802da6064b36d2aa3ab3a2b45 |
| SHA1 | 18814569a4cf5945a360e48bc1ee4a3447ceabe0 |
| SHA256 | 565eb0f90c11d565117a1fcf53cec5ba454e48723da3cbabd81d0a40d08aabd1 |
| SHA512 | fe1264913eee7d20f2f56663de8d18cd6abfadc14b75aa6c23d074cfdd87c4c767ae30176f7c4a57afdc4ced3c13c277612a88ddf9055f14d2ef73e68ddba6a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 404add157d5f628265b6ae49eabc6a37 |
| SHA1 | 0b8da4b40881505c5a9b76b7589a4f76c2226573 |
| SHA256 | acea4e62e315cdb311a7102cbb6f13a750e2bb0742cfb0ae8d1dcf3811abab82 |
| SHA512 | a174b6cf2c5486d2d2fa67edd37406f5247e2c3d55a5ae6b0b392394f2f6e1270f934f51d2b023b7dfb87118e1f77dd26f19878612d42722157a62f5ef755a3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | abbd71bb96e0e0b0ffc0dca2fdbe3d6b |
| SHA1 | 55e5ee1ac0d3dacb38370f17f472399800434582 |
| SHA256 | f0a837b4503822eea2ede6daba1f7ec4c1200e77984974cb503ad90eab9aad4c |
| SHA512 | 8b0f4b2ad31ce7a4064ecddc59faa0a095e6a9f7f41c0d69bd450353325f9e58b3044fadb93fcb5dc573dd1670bb5f925a60917bfda4277dd334a0e414bb3f04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b29f2ed46a21dd9fe1ac6a420ca0cc43 |
| SHA1 | ccf90ff104fb67703a8919efadcd55be0e9f71e8 |
| SHA256 | 0f188c39aae162e475efd41b5182fc596b0e6d2287bb4c89eda77013448bef6b |
| SHA512 | d91cd944c7e9d19f2e48d7e0a4c021d7c716048b2c7ffb56558c66f4f555a1fe92af15481e22864c6b4e55cf7281da3b28c092e4a5ad5a7867c88e8ce87c701a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 355c1a81c70e4b64f68d05a8984c4f48 |
| SHA1 | 5e286cc7043d570bb6a0735b22a51405f54bb70e |
| SHA256 | 74c3de00f30f30c01ee92204aa098a80e849b42e82370a94972a824ab8dfa91a |
| SHA512 | 7d37b83b82d3612eb0e419e736709abb646207f50b7ef92226092e70d0c4ad55130f3cd02a93df5786e4d66527aec0151fc1a897b97223af74587f64919e098f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4fae84a202def9357ce5ad2a037cc7d |
| SHA1 | 78fac208f491b29b3c0bd9f3f1fd055e3155ea3e |
| SHA256 | 9b286fae8af316555748a432cde5bef3f5f2d329db8218a90f5ca58435803d67 |
| SHA512 | d08c21cd5356cf0b3f5062ff22ad79a626727430d05724581ba1955ebe31e1c4d6ffe6f7e19c0d58041e994e1b95c453c00666b738cc07f1b1d33f6f7de78897 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b018785a3c31fb9d08d02ad402a03d56 |
| SHA1 | 2886b9309d2acd53b8824464301b97d1caf0ee83 |
| SHA256 | a36b6f931ef73a4c64857de26acc08ab3cdb90fe7b957f58066a505bf75c96f0 |
| SHA512 | 7e885c52dead3529efe59da77a1028d597d12ee480dcd4d875cb8682d18a5562229d57d5d1cf2298a506cb2762df10b1fb41b2ca5dae0b4888123cbc3b36f434 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8296b7b0f37940aa734561ea9c93de0c |
| SHA1 | 6c5608949771c93b3688ade5904fce17ec26e702 |
| SHA256 | c49ff564d8bbb4b6b9b139250e9828d0e4acb140c75eecf6005a9b375b054843 |
| SHA512 | 131dec98ef278c1d7b3510cbb0d165f1f2ae33f93469fdc22ff39c532df3238bc04b82b1df191aa1361ba16eacae36e4bafb0b936e1f48f877be8b75f9524a20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ded3c7bf148b8819fc38be6f81922a26 |
| SHA1 | 220f102ffb0b2d6fd54826074ffca5aa5b01dfa3 |
| SHA256 | d03a28ea9656940440701a1dd7203ad9801275ac8b7b6b73a0c0a2d2a679f965 |
| SHA512 | b52859caf9d76fb1562f0a8b19bf11a59a45dd4fa40f84db3ee55f183083f763318ec42e36787245c5c7db607b0fa6a281d5a00ec8b4fc3fdeebe07a7c4d7818 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 500996feee0fb07d779dc010ed2cbbe6 |
| SHA1 | 502aac7a393b98152cdd14d6ce8cfce72a019859 |
| SHA256 | da548adf7f3b30fbb552686d996ce406e8e669ca7f5dce3c7dd3c2b2bcca1be0 |
| SHA512 | 670cd3ca7c411bac85c80b8a0de8ac728384dd9a51eb592cb9d5425e4a6d66a6ded984903580b59914ca3079de21d78b9557f3ecfbd0b7edfb91e0b39ba765a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d784734a78876836bb002644ae73fe2b |
| SHA1 | 21bf816f6dbc4bd62598857ef971ae19a9cbc9c4 |
| SHA256 | 37696c8720e9eb86dbe4aea96666be9e70daf6766f24ae68f320e8d130dc405f |
| SHA512 | 8b182a7a640f63f2e0b359a4022b21b200a866cbc86feb8cdade1db11e62b8b998aa61d386ddebb771e1f97133e84eb977fbeac426d2064ec6a566415ff9a885 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f8b5cf2d8bfaf7f8f28227acdd67371 |
| SHA1 | eaf0b0e78d56fe349480c7776ac0fd8dd181ca79 |
| SHA256 | d1874158ac982090cf3f43047bb5de79f5689837571805db47d78f8a4592f615 |
| SHA512 | 7b5d6942ce48d2ffdd41b13fd9988808cc98aba4a9249552240c63f7cbc2d8436197bcce2de147cf82192092124c1aff96846b29c33840fef4e27f6c400fac8e |
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240705-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\scripting.js
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\examples\hubot-start.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4508,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| GB | 88.221.135.11:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 11.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2800-0-0x00007FF966B93000-0x00007FF966B95000-memory.dmp
memory/2800-1-0x0000020240A00000-0x0000020240A22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5tqgwgj.mws.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2800-11-0x00007FF966B90000-0x00007FF967651000-memory.dmp
memory/2800-12-0x00007FF966B90000-0x00007FF967651000-memory.dmp
memory/2800-13-0x00007FF966B90000-0x00007FF967651000-memory.dmp
memory/2800-16-0x00007FF966B90000-0x00007FF967651000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
debian9-mipsel-20240226-en
Max time kernel
2s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/sh-thd.sYHHMG | /tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh | N/A |
Processes
/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh
[/tmp/hubotio-hubot-b50c39c/bin/e2e-test.sh]
/bin/mktemp
[mktemp -d]
/tmp/tmp.52557Tn5wI/node_modules/.bin/hubot
[./node_modules/.bin/hubot --create .]
/bin/rm
[rm -rf /tmp/tmp.52557Tn5wI]
Network
Files
/tmp/sh-thd.sYHHMG
| MD5 | 48f07dbfbb824c83d3306d4f73f70ff6 |
| SHA1 | 4d8354416bca1c45dc4316f066ccc6d78f576d3f |
| SHA256 | 6d30a66911fdf4caa92b0c2ad2b4621977cb02168422ffda4026a7a66aa4b09b |
| SHA512 | f95781735c4ed7feeb41a4b129ceff8a4fdcec678dba7d3e7e11b4abcc1ced6c7b03cfbdea721bdd26e619f1caf04103b8ed6cf0ddfe5154984ab105b0bd231b |
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\deploying\azure.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4688-0-0x00007FFA1EBA3000-0x00007FFA1EBA5000-memory.dmp
memory/4688-6-0x00000209AFD80000-0x00000209AFDA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmnt2eyt.e03.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4688-11-0x00007FFA1EBA0000-0x00007FFA1F661000-memory.dmp
memory/4688-12-0x00007FFA1EBA0000-0x00007FFA1F661000-memory.dmp
memory/4688-13-0x00007FFA1EBA0000-0x00007FFA1F661000-memory.dmp
memory/4688-16-0x00007FFA1EBA0000-0x00007FFA1F661000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win7-20240704-en
Max time kernel
117s
Max time network
136s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431293385" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a5e2b7d9fbda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000e5bd1d9750f9254670df439dea35125d6ce6d43e898e6cc50c48e1987abc48fb000000000e800000000200002000000076a647679ecfa0a3bcb0936d81c1920e21d70c83e12932c543ca3834ab16b5b820000000e4590e2af33d82185e1bbc79af912630148189bf75cdee06178f692659ef2d14400000002eb8af63d816f035a0e4de6917f20d0c9c7da8e72301a9ed8a4f4af2220a9e86f989d8c4241252237d29c2ffc41b9a9c5968b84450e65a5220dd1b76a7ed1ef0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000003529703ab1acc3e1d5b7055ed26e931074ae010c07d546e5c128e80fd2ca7141000000000e8000000002000020000000fbde8def53265f13400fedc61c8342780a0ed58ec22a43baeddb9d2fa37c54869000000088f0b71905abc3a5200ec7a69e05a32500676e1c12ca6524bf652093d85c51b469701e202c8402bc2bcfcf141e3c5c33e8bf1f98c38fb4094bc6e5d5113ed4d8543f2d2a56b1f045ef41caa49c0c12b31fd2fd47f44216f6de087d6e395ea9ca1126a1dbfa04a79a92caac6b36b88ca526dfd48ca02d5006379cc6efe37979943818b6f02a315e331689e93d22f4780d40000000e5306db31e41b14818a42d0eca057f9bba571423fa076a8c956ebd946f26b86c25eb7ca70979e93b08370c93940656abc477fb6d423ee78bb59b33afe9e83659 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E36689C1-67CC-11EF-B0F5-6E739D7B0BBB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1944 wrote to memory of 632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1944 wrote to memory of 632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1944 wrote to memory of 632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1944 wrote to memory of 632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1873.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1896.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0c2547bd09fdc8cd1e66444068fd062 |
| SHA1 | c8b8012010c0f1d68833b8e42bb2dce00801d8ed |
| SHA256 | c3f0c2b7887e98859c6c75d341ed2a12838a992d3c8e0eaebf7bd82dddced0db |
| SHA512 | 1520b437d7a0515e55850855b4c9563c2b78f3b7cb5efd790d57055619f320e8867e567f66716f31178d207fad2e52277c2dd5fab3fdab38d2da04d341bb11b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b24c5247e298c3552c02fcb8f0613e6a |
| SHA1 | eb00349dee4328736a311f4d2e248b41f2695976 |
| SHA256 | c3814dfe8e30cf19d9ad8940e6a43b88778264f2c70c49a17f0869e268d72408 |
| SHA512 | 48638bc88ac74bd9aea0d9eaed8e9df91297f2e1f986e21546e73d86fab252d37ae3fc0ab20561b8aeaed11f747bb2e036c26d6f315e9707a8dab6d07b416ef5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47608ed26caaac55299cc1e992e2def6 |
| SHA1 | 0b896110969965e30e60b0b85f306e8e700bc7be |
| SHA256 | 1dde5436a748b7626e70c669648a14fb6578ea95e37203414ba2d13675ecedef |
| SHA512 | 6150489d3e17a129e37883868dbe62057c6ad537f1166af0c4525ca7a75e8a7412f277859450a19221afae501ba5fe8d1fcf956140d4b2520fea10bb2da781a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 805e93c0d5f717e5948604218e8a1e10 |
| SHA1 | 4c028719a8c8a18782d6e0280c146948bb14a7fd |
| SHA256 | cfd677790d91f7bdedc3859e486e19a7ab7051e3afcb1fe03efe146de07e6258 |
| SHA512 | 832bd26ea3333b44b05c32d322fafbc9815dce420501ee8eb37c8107204720e238ea646654c520f58fe3edbf311bb1d3821a21f2555beca5e9971c43d14381ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf1564762288100fe526dd71ad947dff |
| SHA1 | 6bd56a816b7eb03d41c39f0c3a3e2d8faa3477b6 |
| SHA256 | 333137b45e864c8daa5d0d8208b6caded56d0d93bcbba2dae5077649f859e4ca |
| SHA512 | 154d565c5e6343a0ac73f1f1c0d3ec7992828a07b2a53dd1452a1c3b0070d517eb93d2931ccbc0df4a7bf063a059b59925738d60af965a7576feaa771dfbf90c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59703a87259d8a4e43d7d45f8ae64981 |
| SHA1 | 4a91314e760f0ed3ba8c6f59f4a9fba5273859b5 |
| SHA256 | 77d53b0f5724a502998fd56884610b38fb062c5f525a46c3b5f052728974b344 |
| SHA512 | 822997741f8f7f72d689d04cc3919c1ac22ca0197d1fd427899fff029343eba33d318b233e41bfa9b61c9d100b3ef56c35a58e79302408b57a9f61a2c1986377 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8eefb86089d1f8f1c245507c67c94fe0 |
| SHA1 | a6f590a4313f2436b9bcb3a75038fd367b1ee124 |
| SHA256 | e53b8c35a84e6450aca7fd5d5244d1aa7f15c8137575173f0c97008c69ee1e0d |
| SHA512 | f6d76a3e0d4d8f1f9ddc1f0d9241e891dabe5b0148c889c0f7270f494d90928157ec70b78a8ab7c22661333ada878c1e0d8a2e3a029e1a831521cf4b308b8634 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0caa209d11e5eb0adab13315c973422 |
| SHA1 | 447a99d4332ff63f28d8251f7f040a263ecc704d |
| SHA256 | e8172b04dbf8ca2db3eefe056d5a3b93c0c6f499fb64a624fd100fd828a64052 |
| SHA512 | 4882cf09d084a9584fcae09ad767ecae2aa08266614b43c8adc3ac7607b3f5c060af95a497e8d0b2a268b4431c597c513fb8b51cd1860eb8197106c5e27ecc3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88083ce1b50115b6561a4a7f6fc21b58 |
| SHA1 | c079e970fd6482d0e5c69c6fd79f01682a985a9f |
| SHA256 | 7a7dfe2edf448524790aee8a13859c1e9dd06eeab6bbd333edab9ef5e8c4986e |
| SHA512 | ecc303818836bfc6b5e7fb7c6e24e6c4a79d546c407c3dc177b9870c90454f744ed348b49849c029a77172111bd950b6a5ff6275dd629cec6cc16f63f47a1577 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90b7694c8faef7c1f21a5d781ba79fd3 |
| SHA1 | badbd016de1ad6512e9328dd375c266491f4b30b |
| SHA256 | 31b756f7e11597d1fa315e76c5331cd8c3da3e0d7401212174dc5abe38e0ef7c |
| SHA512 | 6a92c2d1ec1f547fa65d1f4c55531672095963af8aa3a08271f206defaa202bfd69283d2d464bbb96db754606dbc3cf577a6ba5fefc07b60f6538df9dc801b88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b399627a910ad29e2fe73ff87944919e |
| SHA1 | e648a9ba33e988232a73f246efb5d7b2fe14edf8 |
| SHA256 | a96a17b96ee5e8f4be38b85da37fac4d9a8221156c9b91156b7e3b29db94c7fd |
| SHA512 | 6d53817876e778364e6a8649e6c8d188873c74a1f6dd2c48f93557e7aad10915a72b1735867dd3c30da57c243207a50cab71f01b7b416604e8c585dbda115ff0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2a89b6accdc70c4d6db49eb2770ad02 |
| SHA1 | 20fc4e87b3be30ebb8960531e21c62c066541f2d |
| SHA256 | 7271caa4cedcbafaee67ae97be19393c1a7df95eee26606e652009996de8e005 |
| SHA512 | e4cd5d52d27eb2699ee8574c7da8777827eb456386b237006bf1feadf0d48aac22a424747176370ebf7a46fbbc4375d5be91353a127d8a60006b7fcc58fb72f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 67c031a5d9f00c271c1961c8299568f4 |
| SHA1 | 9cb2b9b8623cbbbbb456882038343d3969e5d956 |
| SHA256 | 476d5dae00305c7b2c1608d0c6f9f78b47aa7768f732a5a219b3d04f42e4d85e |
| SHA512 | d8d3ac77b9fcab4ebba2f2639b6afa81d5b0d3d575c24726c8ff8beccd38532e03bb39c2ee337db7f6d4e97b4b9f248b0cadb95d1571a875856a031c64d1d1f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e74642b40d4512a60b4d94d2033dc75d |
| SHA1 | 7dff55a29b4a370073f3bba7dfa431b4a1603031 |
| SHA256 | 68f24f9bd38921ad10ab2f85eb5fdb2bdb12c51ac7c81bc3831c9a18f85cd7f6 |
| SHA512 | fb85970e6df97038eb1cd38b79cf9ee468ffe72234f2cd06d5603e8c0cd9d12015febd99288dcf0d3d071fe271ea7a0e913d62073ecce1fd47daf4cca5e80822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eae2f449df666a54873e3cf1b7a5f28a |
| SHA1 | 2eed9e7c422d36a70c65b73d8bbab9c1fce6673b |
| SHA256 | 6516b5339a18e0ece055913f2fdd663319cebd37d8914e87fbb39ec279956d45 |
| SHA512 | 872b15246d2e22bc0d4febed2d831d2d61d0d07238aa84ceda9bfd2f00a7e4db12aedb8b5306ae594cf1f128573aa3b11c4ca0e2f2fedda838f3f57efd38f91a |
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\layouts\docs.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9022f46f8,0x7ff9022f4708,0x7ff9022f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7656443601269862659,1315612980731793328,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 847d47008dbea51cb1732d54861ba9c9 |
| SHA1 | f2099242027dccb88d6f05760b57f7c89d926c0d |
| SHA256 | 10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1 |
| SHA512 | bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f |
\??\pipe\LOCAL\crashpad_3096_QXKGOCQWEYERKDJR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f9664c896e19205022c094d725f820b6 |
| SHA1 | f8f1baf648df755ba64b412d512446baf88c0184 |
| SHA256 | 7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e |
| SHA512 | 3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8318842-4cff-4ef1-bea7-f4d92a993333.tmp
| MD5 | 52f01b668ccc85d6d97d9e06d1a379b4 |
| SHA1 | b32611d8c0d00e7014bc6965253b3f32707c25b0 |
| SHA256 | cf31885a05b43ad49fed99dbd86aff2f17ecd4a014814221025bfdaf237950c8 |
| SHA512 | e5cb3fd86aee4bf8e2924a767f67284af7845beb04e3ec005b9aecbc4f5fce2dc956a089a16b04d7e4eecd3ed4f7612942dc9f22b1e9c9afb2b4ba7e8f560977 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8ded07d2b34f1448cc0dea7b22917fa4 |
| SHA1 | cad7e703b9c492b3bfcfefd7b54f0d1f61a5527b |
| SHA256 | 9ff58e1969569604930143449cceb5dbe4f131474a1499a16a7b3aa142c414fd |
| SHA512 | b308fefbfd176d2f702e33d1e95909ef28e7b96e9a0646849527c3a1a75d695df1f944cfdc8f3c958c3f9781f6a04d5b6b61f55596322f1722a9422ff6a8ac12 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e1e419247da9b171f4ec5ab355f6ef13 |
| SHA1 | fdd021917f43b4560d3f12a5bd54f52d914e743c |
| SHA256 | 8a192f425f6f5a449eddbf7733b531931c2015dad9c57fc50334326044ae7c09 |
| SHA512 | 74c5ef6e52850ee8bb30f18a853572670edc7b1b4a57cb368e18d41b95ea1633a639b3f250854410c9df894f84f41bc0c68c440455dc3ed72613007b2bf27c2c |
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\layouts\main.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff8156b46f8,0x7ff8156b4708,0x7ff8156b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,107456579543957903,18187873580503838802,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 983cbc1f706a155d63496ebc4d66515e |
| SHA1 | 223d0071718b80cad9239e58c5e8e64df6e2a2fe |
| SHA256 | cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c |
| SHA512 | d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd |
\??\pipe\LOCAL\crashpad_3868_ZEUDHENJTOAYNQMJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 111c361619c017b5d09a13a56938bd54 |
| SHA1 | e02b363a8ceb95751623f25025a9299a2c931e07 |
| SHA256 | d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc |
| SHA512 | fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0070e88ad8dd2286fce6349c72ae9a0a |
| SHA1 | c5f036dfbecb1133c6712cda49aae7cd9703a3d4 |
| SHA256 | 70cb06bd8c8722ebecccbacf63b272552706d66cfec3e0b5227f300dc1cf8291 |
| SHA512 | 06ba1408cd0a9c959050044627465d6da25a86e42d751c6be426af7e24147a075644ac508369e8386e58cac3f23ef58d4145447afedc1d3dbfd22cc156878aa3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bfe3f0c393f8b66930c112df0795efb6 |
| SHA1 | 2e10cf56e8940e012726ddb6b48afb0e60200406 |
| SHA256 | cd843605d1d5d3ccec6035ca873545446780fbcc1d237213dbaedac6fe38867c |
| SHA512 | 1bfc52fe9d7241538aaf95ded109fa01a84a4a8e38e97771c3ee04cb4ad8ed258b1c9d9a149083a436e2c9fdb05963cecd2668474e7812e5f289238a4f3108a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 195b84cad699f58de8acf4687b551d67 |
| SHA1 | c7d5a311c0e8d8fbb87144c631d06df7dd8c3ecc |
| SHA256 | 91a9087f7b24b84c8797ba846c617c4992c1411c6c46d3d931f7b5bf7c7e6a0d |
| SHA512 | a5276c7a2bb492ff29ef22c4e11fc3cf35fb398ae910815a65150376190ba6e536c5ffc958ac23e49587a73d747fe39fdf4918b2986db237d5a19d9c3eb009e5 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-31 19:11
Reported
2024-08-31 19:14
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
116s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\hubotio-hubot-b50c39c\docs\patterns.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |