Analysis Overview
SHA256
85841700199bb0762518be8266169250ed6a0b4e48e6dfb4e47b8da5c78d12c8
Threat Level: Known bad
The file d281e5deaca5508ef83398adf429873e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
AmmyyAdmin payload
FlawedAmmyy RAT
UPX packed file
Checks computer location settings
Drops file in System32 directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
System policy modification
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-07 17:49
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-07 17:49
Reported
2024-09-07 17:52
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253f295d27b065eb36b | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 7f632bd7ff2284b15c7b7cdf8f7e3e5064d6c05a4b84c2d06437709b5aea625db01c449eac4bd6ba611f6dc9dba8d2ca0beef4748941da912f9afb1999e877146f3d87082f48465d58dcb9 | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
| PID 4284 wrote to memory of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
| PID 4284 wrote to memory of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"
C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | e4f7224ed356915816bebb715326d18a |
| SHA1 | 8b441bb4276212b9e774cba75fdbb723cb68af93 |
| SHA256 | 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c |
| SHA512 | 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2 |
C:\ProgramData\AMMYY\hr
| MD5 | c7a35d29edc326686359b243b14c6ea5 |
| SHA1 | 74f7d0b8abc3f9846f5c0571541b3101082086fc |
| SHA256 | 38a05824da3755ce608d5d34011f4abf3ffcee47c24e65a03bb098140dd2d554 |
| SHA512 | a3ea2dfe007cd579ffde3cf08c06d086cf6ca6d5555580eeef14467f7b89e31637eb2c4f4e7b08067f0a9e1cb983750661090380b74a20b53e1e6cdd1e1990a3 |
C:\ProgramData\AMMYY\hr3
| MD5 | 72333e9466ce79ee0a19bb917502144a |
| SHA1 | fb88da5ced9fc17ae18d8485f1187d9b6b26a399 |
| SHA256 | 5e0d9dcda81d108522e9659b2733eb4a8ef5de388e22774e604964e691ee951b |
| SHA512 | 495085d6ebc241f63e6dc9617caa40a7b6986faeee2e50d6e4cc248ef6c36f0fc12a9915e2736036f78ff80422588116d886af0ff558ec088b58930287f96cfe |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 17:49
Reported
2024-09-07 17:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
145s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3039d75b4e01db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431893252" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000610d8a66faa6aaad43dc641bd08921b8743eb5518811da6470c983f9343e55df000000000e80000000020000200000009a270f700ab68cf38121c6497891e2767a45cc59308be6470f5b31ecaa7eff9c2000000014babbd114df22c0244373613e6f7b8bd2c11cc9988243f1de1aa0c3de550ec940000000a5cde3b4857b8b176d9ff8aafbcf09f437574ca518c614de274c822c198e8afb2dff7684e48dd6f087ef27e1f96f16d7b7b7f789298df31391bf06a137f30b37 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{874E6391-6D41-11EF-BB31-7694D31B45CA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000b372e2c2b56e62f95ba5fb8b08a27d2bd861df7d53e52526e72694030f18e308000000000e80000000020000200000001e81842ad330f211d52023cd247d9ff722097051fa63117a163469da5ee1b44890000000675fd23d4ce00820fc8c27ceb4b5a50ea8fa8eda4cee297e2825da38a0acfb477d33fdc596de98a4feaaea4245a0b8b6c2655ed73e1baec4664ac64997f21e07fa3efe80c03eee63f6929c98e3b77638b32cfb0282f3eef8f49462f2f9d753246f184aebd601c4eac53bd3cc337dbbfc7efe31e6472481c7e35cd7fe25354a3f42a9f972c177e057a81765f9fac48f8f400000006631ad0b9bf14ca71ac2ec59eca7b6be23c266a535599a01988267b24bb00edec4126370b0ff84d8afb459f5da0e0cd3486c1f2b9bfa1e88d7a64dd4a42def41 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 2616 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3060 wrote to memory of 2616 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3060 wrote to memory of 2616 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3060 wrote to memory of 2616 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\DATA\OS\OKOF.htm
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabFD07.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFD68.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91317223a02818ec0e06837bf0764cd4 |
| SHA1 | 40f518cf1565f5ac9743d9e391cde218524ecdde |
| SHA256 | 39d785c6249d172004cc794369d4932439ec7504bb7d1dc4ca3cbac4663fe90c |
| SHA512 | 4cdac1a1aa9cc40336c09bcbb92c3cd9458ed4572191c82c05ac2cfb8f74bf81dc9aa7ba8e9edcbcde9a3102a87ad99d82d75956911bf983bc114434bf118a74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e76ca120af61afef764b82ebb6ac931d |
| SHA1 | ac99361f3324f28804b9dd6f14304a2ff3115e33 |
| SHA256 | 20732bf36aae76ab056a0794b6971a696f5fcc6a409c1f27175a79cc33ca67c3 |
| SHA512 | 9445c8f123382c45a974d8a475f6a1732312d6b98e1f20c278cebe6be1ea1dcaf82d80fed4ae82a37bc3afaf1db661f8b1ab1cc98d70f11795add77eb5c1600e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 440e6e6d35fa5fbd63249d7633a02176 |
| SHA1 | 389fd45b5cb1b8584248086b6ff3be246f2baacb |
| SHA256 | dc7a95e67fed75039d8f7ebc8def94450ddd82429029b49ca99caaddef947b32 |
| SHA512 | 4b73cdd18a24a02fbe57791d27b935777595b334141142570e9af12b933f345392ee190ea87373f832ae546e7194ba9b8a681663474b4a4c19870280676f2186 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb25e7155e9f3b5b60966a09b66c482a |
| SHA1 | 2c445b4515fe2588ae3cb34ae42fe36d1524c4e2 |
| SHA256 | 0525724a9c3ac2323d3647cd3b3902df601a6092f922808bd7aa1d2173f1f185 |
| SHA512 | 85c917ebf496c0ab20950207d0de788ab09fd1b03ecba7034daa3c264a9f222be5a995359f2f2489b15b67ed7925ff1d4bbfbca3a0a9fa2277eb6f0da395e08a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c593e99f280f6df7e24602482f82d24f |
| SHA1 | 463a47ff30bacc5efbd2563773c4e932ba647a42 |
| SHA256 | 39cd5b42b61f169fde28e8f330455b20058d3224a3701705454fcea01a55ae7b |
| SHA512 | 5cd64d8d9aa46169d1478e3743da212453e609e607fd2d83b255d4e364c43e4efa0986ddcd53c063d2f6acab3407e83ff81079f186d45abf656b1b850a73a3ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6dc3718e912c57e7ffcad85f8c5140cd |
| SHA1 | 22b8a35053cf1a0f90dc7a2c32e4185cb648d835 |
| SHA256 | c43f109a8e68619af6bb0a9edf3c516060b2e3180da8248e1f408f28ca88de41 |
| SHA512 | a29f5ee3c42b86c2a4dedd4801ea99a4c8e258ed9ea7c9f81859e5a4fee5ab5af2524d798270196b7a15ea18b8a7fe062a919fbbc805b6bb5723cab0952ea597 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e5b7bffad8d0619e2aeaafa6647a58f |
| SHA1 | c2af74fb5b213b0c03834ba36cf74a5ec993dc44 |
| SHA256 | 53fc0747c6643469dd73258fe2730a582cc255692d427b84f6cb9952ff062701 |
| SHA512 | d14daf5c1ea0cee07f4c8922c1d366ad11354c3f230892f682949c3fd242d4bf5b23e42e75e08349525bb8a93ea47d2d4c81acbe2f231ca6642b2c5c34af8d4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc6cceadc382654f7839f4773c8a00da |
| SHA1 | 0e84e1da2c86b1183aef26994235370593d1da0e |
| SHA256 | 2a8c95b6743155c4789c34b81a6aac9a1992024e620e48d7b7cf2b41f351a71f |
| SHA512 | 4bb22ba183871b97a9c79ad28192c5e4ff960ad64a6ee13be4cb8b388fd564e084375b80b94d194df0ace17e34b23f405f8de85750724c87933dc97405d27fd4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e3c014d69c9958564f9f2b781218bfa |
| SHA1 | 366bf1f164bd90b9617f8ce2efdbd3a8cc1d5b8a |
| SHA256 | 69831fe8729c79a658eb54dc7944d2aee7c75fb5ccd7464208b4469da6fdbe0f |
| SHA512 | 561e1931bc430c934d72d13d1efa84b3ac9efe9eb988abc3ced5d7517d7b08492772c4d58da080494f2535ef05e3a3404bc4371a3a5afe53d7db56963b45d47a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e30e286014fe7059a85aa47323eaf891 |
| SHA1 | e1e2f4f727b17b33d44083b901507a6dd32d33ce |
| SHA256 | e767cd22d1b7cf45c21a705e97f6b6424bb043ac29bd149085fb7a0b127a2c36 |
| SHA512 | 00283ee00f450f804c137b18439f59b57c8d2c52f4ff376d3a9b16cea6abe6da41c5a93a5a6400418e6af2d129e9a69cc3334388cc7c7da29ba3bab32c701e4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7dcb65956230d7f7ff725b939c1fd6f |
| SHA1 | bce7f10df9527c9714ecfb148acf1525570c5c15 |
| SHA256 | ac180c73ecbb7785f2b767086973f3d9ffa1e3778f21d2a9c8e7bfc96d904202 |
| SHA512 | cc0a0711a872996ea3bbfff8671b1eab906f77625da45c01e6140b57948621ebf9fbb4b864ad7f23a110f958b5e5a7d2e42061537ff15255a3e8c7d440283fa6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ad377b46e61538d377b59992b8f2437 |
| SHA1 | 8a0ba4fc705cc2f15f1a9fa3245029d9f3c67fb9 |
| SHA256 | a3b43e85376062199a3e6acf89f17aa4115ab5c21081cb81ed1fb311a7ff6546 |
| SHA512 | b9577da5c0613b2ae84276de8ed5cccd6eca769e7c1dfb49aaf838d2080ebb704122b1a4f8580c616902c4ae636a07b286216e364f93e01894f2573ad84bae19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e24f44d9a5c20e5410added7efe37b2 |
| SHA1 | 1229df90a42b458741e0498754a48fd8367efb08 |
| SHA256 | e06008f95b24bf71d33d8d24517d2d0a32ba84ed1808dc6943d2f49005f69519 |
| SHA512 | 876f7288f8d14a3279093eec69f45f935d574dc660a3497117d8ccba3f894bcb7f49c44a71d04e957eccc437877899f8bf119dd4814422c35601f1bcbcfbd56a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45f41693a276fd06944b330bc9ff450d |
| SHA1 | 8931861503992452e623b2803bf20ee1e810161b |
| SHA256 | f37ce8efdd2727b3673aec2db43595f6a207bfc07e58171b41cc4b033b096401 |
| SHA512 | 7297ce4cbbf43093ebb163c00dad467cbf498be50682ec0cc142b317edb349cee339eb3bbad6310065debc311dec614778081d701271ba78899e91c01f273cab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 387b151c5c5d9a5a476afff79c32b4c5 |
| SHA1 | c9e8de8cccc4afb8a6a87b36e1f42c92869b63d7 |
| SHA256 | ec6f43dfd3bf2d526cc2003089b2385ea903f83cf97c027c878dfe117af884d0 |
| SHA512 | 3effecc9cbc8ebf1a221aec5d3b464a25a0be0d58c2527953623b33c1d058f209efb1951efbf305b7dac61c698cef0c50b45f28d05c2263ab33456b13d51f4f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 816fcb7f968eaad635ae3952b41e3a0f |
| SHA1 | 3a029c60c198827e6950884015cbf119056457e3 |
| SHA256 | 6f873c531132eac6fe7da53afee12eca9dfd6d9da3bac27e73a5d6eb314545f7 |
| SHA512 | 95738610d055bc7c00cac94fc1f30f72b1e32896c217bb41a859e4d4f1251bd5515bf709ad59d3557e81b06fcbd05b04d04ec7ddedb3f5d91021fca81c44725c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 17:49
Reported
2024-09-07 17:52
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
131s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\DATA\OS\OKOF.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbeb746f8,0x7ffdbeb74708,0x7ffdbeb74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e765f3d75e6b0e4a7119c8b14d47d8da |
| SHA1 | cc9f7c7826c2e1a129e7d98884926076c3714fc0 |
| SHA256 | 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89 |
| SHA512 | a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079 |
\??\pipe\LOCAL\crashpad_4656_FDSJTVCKFSCJKWPP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 53bc70ecb115bdbabe67620c416fe9b3 |
| SHA1 | af66ec51a13a59639eaf54d62ff3b4f092bb2fc1 |
| SHA256 | b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771 |
| SHA512 | cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d7171c29ff3b7b7f4a94fadc2f904f5f |
| SHA1 | 0658315293f246221609b97f97071b6b0230876f |
| SHA256 | 891dbfd4fdbd955d83bfa682d43f1f8ae8c0c8cbad7d7d0616a082f5cb577c1d |
| SHA512 | 39dce6bd7a95bd7b2a6eff52f2f243d8b139f23ab2bfb3535f905d870643c5b4bc90e037b5866eed8283b458df16d171e767cf40b969678e7cdbc555df7da808 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ac2ec5922d19ca36c8aaa6f3b38073a9 |
| SHA1 | 55e65b5e78a534b892eaadc4db6c1d6a0848203a |
| SHA256 | e94a2034eba5db8d4246f87fef0789572818927d63eefe68fc1a34867d023a4c |
| SHA512 | 9c7dbceec957d1c23dcb422920dcbfa4e0224b3a3edf19208b74ed88d568d55e87ddc5bccd0b5a6225a92aee6190d4c9f766c5377da594464b319b46a14bf120 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b309123d3c1d4d0f09b1d9f5e048c824 |
| SHA1 | 24c714270d887c46caf243dcc0ecc5a369e34485 |
| SHA256 | bd2a322bb85a0d4d133c440daff281355a2dc6c93c1674e5ff22ddcaf8b7e046 |
| SHA512 | d6e7aab28c8afdc3cce55f5f26639b59215089f8791e5e2582e70c506be163ce7ef5d0002b35724614d3223c665410db4f7fa3130dba5fa7288f42d889c53712 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-07 17:49
Reported
2024-09-07 17:52
Platform
win7-20240903-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
| PID 2492 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
| PID 2492 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
| PID 2492 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3" | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_HDROP = "15" | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"
C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe" --restartInActiveSession --sess_id 1
C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
--justStart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | online.sbis.ru | udp |
| RU | 91.213.144.193:443 | online.sbis.ru | tcp |
| US | 8.8.8.8:53 | update.sbis.ru | udp |
| RU | 91.232.93.95:80 | update.sbis.ru | tcp |
| US | 8.8.8.8:53 | update-yar1.sbis.ru | udp |
| RU | 212.232.32.6:80 | update-yar1.sbis.ru | tcp |
| US | 8.8.8.8:53 | rhm-server.sbis.ru | udp |
| US | 8.8.8.8:53 | rhm-server.saby.ru | udp |
Files
memory/2380-3-0x0000000000400000-0x0000000000BAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DATA\tv\tensorrh.log
| MD5 | 01f1cf76991b9955172e9a6a4a5ce88d |
| SHA1 | 600e9972be5d4ffb5ead1efccbb193acb3dbc044 |
| SHA256 | 73343b986e9e3737da5156e31c1a9e2dc4d3f0b96ab1f8e53fd36106a900dc3a |
| SHA512 | 2fcb8be9cc00599c81a419b7538adac08d5645440855786a4e1f98182b2976d0cbd000ba25b3eb2c2816d8622f6f85b4b0862f77ab7cb78a8af8599e6fb8f3e7 |
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | e387cc77168c0d2d8137dabcc00c87b4 |
| SHA1 | 3100cc65bfd8613a74013321e130203432dd72bb |
| SHA256 | eca85dbca5043e6e25cd03186a7bcc1e8f6e602504713d304e6bd092a5315af4 |
| SHA512 | 81ccd571ecec58e1f9ca9e7278d585db2085f62a8c6bb37e887cfdb2ba95ed983c900307786b071ac979cd54bf10c3c8cfbee5b75ce76d411ae6f2f48a5b279d |
memory/2492-11-0x0000000000400000-0x0000000000BAB000-memory.dmp
memory/2492-23-0x0000000001FE0000-0x000000000278B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | aeaccf91168be96e5492a4731d44804f |
| SHA1 | 79fea9b2b4eb1c330c74cbf37cf1c92f6af42f92 |
| SHA256 | bff684ae7651de1fab071a310188cb37db4c39482deefd1cbf5f61ec140b2e14 |
| SHA512 | f437b55a9e6cd2212d84a03c97ac7148a88b95131ba1028c91c44528e1286cb2469158da5d69335ab252623434e9744048895ae656caa12ce686d10085279bec |
memory/2504-30-0x0000000000400000-0x0000000000BAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | 35137be39ca6af91c0de439984082d13 |
| SHA1 | d8848e5defec72fc3b0eeac12a5c0897a9d1622e |
| SHA256 | 54e90eb158b0f144dcf0bdccba420bf3e4f08cbe81effe3a3a82fd6a8c13e0d5 |
| SHA512 | f70355aac60fad055da3ef9d609615f6185567a94a1ee53db413be556a0acc96004a5d77747677abb05ea50e0f2158dba55a5bd7512e73b35ce4f03a99469110 |
memory/2380-81-0x0000000000400000-0x0000000000BAB000-memory.dmp
memory/2492-82-0x0000000000400000-0x0000000000BAB000-memory.dmp
memory/2504-116-0x0000000000400000-0x0000000000BAB000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-07 17:49
Reported
2024-09-07 17:52
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
102s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
| PID 1480 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
| PID 1480 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3" | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_HDROP = "15" | C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"
C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe" --restartInActiveSession --sess_id 1
C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
--justStart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | online.sbis.ru | udp |
| RU | 91.213.144.193:443 | online.sbis.ru | tcp |
| US | 8.8.8.8:53 | 193.144.213.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.sbis.ru | udp |
| RU | 91.232.93.95:80 | update.sbis.ru | tcp |
| US | 8.8.8.8:53 | update-msk2.sbis.ru | udp |
| RU | 139.45.228.9:80 | update-msk2.sbis.ru | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.93.232.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rhm-server.sbis.ru | udp |
| US | 8.8.8.8:53 | rhm-server.saby.ru | udp |
| US | 8.8.8.8:53 | 9.228.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4228-0-0x0000000000400000-0x0000000000BAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DATA\tv\tensorrh.log
| MD5 | 58b706d39ad557209d67e600afb60991 |
| SHA1 | 1b0b3e121acfe0317fa9f73849b1cfd1f5b58c6b |
| SHA256 | ecfd654684f5f458c2b5c0ac366dde78d77038efa8ff7c825512ec11db32beaa |
| SHA512 | b735ce981f3cd064e08e419dca275ad096e367184a90ac002e6b3a9f9bf431e3db4a15488284f973a8f80ea62ef7dceaba48adf75ba682211b7f97a141b4615d |
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | 9b78982593419764071b527932de1fc5 |
| SHA1 | 082ddfb720e9ad7c9b3a77f174cc8dbff6cd8841 |
| SHA256 | 8ba0f47f47781f368cc44ab74f6f41e01be771d74e2b138e7f2ccaa709e1763a |
| SHA512 | 3b33ebbee07b6b7747eafc36d0d9dcd4ef35bef84f8a55d8974baacb580b5a509be21832fe242eecde8637558c020eb702128f830793ddb8a61a2bb75aa07f5c |
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | 28e2f791151516c54df6f718f186b47b |
| SHA1 | 7d49cace234f8dd852a488c2902a8b92bd491ef6 |
| SHA256 | 98df6257049395d680d2ae731e15845ad8e7a1aa0c2e13bb50e2d75038bff5cc |
| SHA512 | 45ec286e3b417296c22429f2ed52975169c67aef203884d28b4245c55469e7b994b9cf2626a1ea948b09f2e7fa3644f0152667d7c84517d269a25a184bd43b7a |
memory/1480-18-0x0000000000400000-0x0000000000BAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | ed0d762c86b0d3b4c758d5f54058cb6b |
| SHA1 | 1f411008cb4b08af77d6a55bb5f0a9cbc757799f |
| SHA256 | 0bbc36918ae9b18bb9d495601b29cc5ea4547a629bf8f5666b07a6926b4c347a |
| SHA512 | ed30da60f902c2be741a352cb8254037bd7d3698ad080618cce8bec94032e3a16c9490053d48527e787a5e9f836fc456ba6898bbf5fc0c32a3dbea3e8baedc57 |
memory/4228-76-0x0000000000400000-0x0000000000BAB000-memory.dmp
memory/1480-77-0x0000000000400000-0x0000000000BAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log
| MD5 | a95c4fe9d9f333d4ef3d8727028e0346 |
| SHA1 | e185772085ee8906157c1c04a209372d7eadecc9 |
| SHA256 | c6a99849ad8d5f1b5650b7dc018c2c538981729d6c85ea42df70a74883e24b91 |
| SHA512 | d0a8c53fb94bcdde735c2914e6eeaa54a17aa33649231a90666f2e9aeb8bc3fab7435ae1c295cc75c6815e06c8b9c716e0a22b54c4748763da24b08f1d8bce65 |
memory/2208-113-0x0000000000400000-0x0000000000BAB000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-07 17:49
Reported
2024-09-07 17:52
Platform
win7-20240903-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525337dace7b065eb36b | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14bbd271480b88921c3997c883e890fbe473b0911ae5f92336cefeba74e58be2589d9bb1c7f7ee63d80bec0a35c844869b8b8a655f034eed142b436c464e236937c5ee357999e6bdf7a157 | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
| PID 2992 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
| PID 2992 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
| PID 2992 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe | C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"
C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | e4f7224ed356915816bebb715326d18a |
| SHA1 | 8b441bb4276212b9e774cba75fdbb723cb68af93 |
| SHA256 | 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c |
| SHA512 | 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2 |
C:\ProgramData\AMMYY\hr
| MD5 | 933e29d75969ac0a77ed300582ee7661 |
| SHA1 | d751609311a253127518e815fcb834f7e2fa3ffe |
| SHA256 | b2f9ba3156b4a61c4d4f678507c5625d13012a7babfd745a7fe1729250c8353d |
| SHA512 | b8f2efa7c8868eb389740f6b463c792856815b8bc26055d77e3b0ddd21342b71005374e9aa8a52489c6a4009aaf4279c982ee5bb56c7a793bd15df9c85c5d3c5 |
C:\ProgramData\AMMYY\hr3
| MD5 | e1923a234173ddc1a93d462cf0fc6e1c |
| SHA1 | 6a442d823f5c9a5052e3ec7eb709490358129cbf |
| SHA256 | f9de68a83b2d5666101e2a2ab580430401b382b66a2ccfcbad5926ad240a41b1 |
| SHA512 | 18b332ebaa556c5fed798cd176f91ba782309823f90a7f0dbb48be71e93a8a61ed903d9d3f9b4dad2cde8ea5f55378f2e2e953de61497a5ca0e2c53afb7bd5fd |