Malware Analysis Report

2024-10-16 05:09

Sample ID 240907-wd5fgsydja
Target d281e5deaca5508ef83398adf429873e_JaffaCakes118
SHA256 85841700199bb0762518be8266169250ed6a0b4e48e6dfb4e47b8da5c78d12c8
Tags
flawedammyy discovery trojan upx ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85841700199bb0762518be8266169250ed6a0b4e48e6dfb4e47b8da5c78d12c8

Threat Level: Known bad

The file d281e5deaca5508ef83398adf429873e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

flawedammyy discovery trojan upx ammyyadmin

Ammyyadmin family

AmmyyAdmin payload

FlawedAmmyy RAT

UPX packed file

Checks computer location settings

Drops file in System32 directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

System policy modification

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-07 17:49

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-07 17:49

Reported

2024-09-07 17:52

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253f295d27b065eb36b C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 7f632bd7ff2284b15c7b7cdf8f7e3e5064d6c05a4b84c2d06437709b5aea625db01c449eac4bd6ba611f6dc9dba8d2ca0beef4748941da912f9afb1999e877146f3d87082f48465d58dcb9 C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 e4f7224ed356915816bebb715326d18a
SHA1 8b441bb4276212b9e774cba75fdbb723cb68af93
SHA256 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA512 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

C:\ProgramData\AMMYY\hr

MD5 c7a35d29edc326686359b243b14c6ea5
SHA1 74f7d0b8abc3f9846f5c0571541b3101082086fc
SHA256 38a05824da3755ce608d5d34011f4abf3ffcee47c24e65a03bb098140dd2d554
SHA512 a3ea2dfe007cd579ffde3cf08c06d086cf6ca6d5555580eeef14467f7b89e31637eb2c4f4e7b08067f0a9e1cb983750661090380b74a20b53e1e6cdd1e1990a3

C:\ProgramData\AMMYY\hr3

MD5 72333e9466ce79ee0a19bb917502144a
SHA1 fb88da5ced9fc17ae18d8485f1187d9b6b26a399
SHA256 5e0d9dcda81d108522e9659b2733eb4a8ef5de388e22774e604964e691ee951b
SHA512 495085d6ebc241f63e6dc9617caa40a7b6986faeee2e50d6e4cc248ef6c36f0fc12a9915e2736036f78ff80422588116d886af0ff558ec088b58930287f96cfe

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-07 17:49

Reported

2024-09-07 17:52

Platform

win7-20240903-en

Max time kernel

120s

Max time network

145s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\DATA\OS\OKOF.htm

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3039d75b4e01db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431893252" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000610d8a66faa6aaad43dc641bd08921b8743eb5518811da6470c983f9343e55df000000000e80000000020000200000009a270f700ab68cf38121c6497891e2767a45cc59308be6470f5b31ecaa7eff9c2000000014babbd114df22c0244373613e6f7b8bd2c11cc9988243f1de1aa0c3de550ec940000000a5cde3b4857b8b176d9ff8aafbcf09f437574ca518c614de274c822c198e8afb2dff7684e48dd6f087ef27e1f96f16d7b7b7f789298df31391bf06a137f30b37 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{874E6391-6D41-11EF-BB31-7694D31B45CA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000b372e2c2b56e62f95ba5fb8b08a27d2bd861df7d53e52526e72694030f18e308000000000e80000000020000200000001e81842ad330f211d52023cd247d9ff722097051fa63117a163469da5ee1b44890000000675fd23d4ce00820fc8c27ceb4b5a50ea8fa8eda4cee297e2825da38a0acfb477d33fdc596de98a4feaaea4245a0b8b6c2655ed73e1baec4664ac64997f21e07fa3efe80c03eee63f6929c98e3b77638b32cfb0282f3eef8f49462f2f9d753246f184aebd601c4eac53bd3cc337dbbfc7efe31e6472481c7e35cd7fe25354a3f42a9f972c177e057a81765f9fac48f8f400000006631ad0b9bf14ca71ac2ec59eca7b6be23c266a535599a01988267b24bb00edec4126370b0ff84d8afb459f5da0e0cd3486c1f2b9bfa1e88d7a64dd4a42def41 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\DATA\OS\OKOF.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFD07.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFD68.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91317223a02818ec0e06837bf0764cd4
SHA1 40f518cf1565f5ac9743d9e391cde218524ecdde
SHA256 39d785c6249d172004cc794369d4932439ec7504bb7d1dc4ca3cbac4663fe90c
SHA512 4cdac1a1aa9cc40336c09bcbb92c3cd9458ed4572191c82c05ac2cfb8f74bf81dc9aa7ba8e9edcbcde9a3102a87ad99d82d75956911bf983bc114434bf118a74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e76ca120af61afef764b82ebb6ac931d
SHA1 ac99361f3324f28804b9dd6f14304a2ff3115e33
SHA256 20732bf36aae76ab056a0794b6971a696f5fcc6a409c1f27175a79cc33ca67c3
SHA512 9445c8f123382c45a974d8a475f6a1732312d6b98e1f20c278cebe6be1ea1dcaf82d80fed4ae82a37bc3afaf1db661f8b1ab1cc98d70f11795add77eb5c1600e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 440e6e6d35fa5fbd63249d7633a02176
SHA1 389fd45b5cb1b8584248086b6ff3be246f2baacb
SHA256 dc7a95e67fed75039d8f7ebc8def94450ddd82429029b49ca99caaddef947b32
SHA512 4b73cdd18a24a02fbe57791d27b935777595b334141142570e9af12b933f345392ee190ea87373f832ae546e7194ba9b8a681663474b4a4c19870280676f2186

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb25e7155e9f3b5b60966a09b66c482a
SHA1 2c445b4515fe2588ae3cb34ae42fe36d1524c4e2
SHA256 0525724a9c3ac2323d3647cd3b3902df601a6092f922808bd7aa1d2173f1f185
SHA512 85c917ebf496c0ab20950207d0de788ab09fd1b03ecba7034daa3c264a9f222be5a995359f2f2489b15b67ed7925ff1d4bbfbca3a0a9fa2277eb6f0da395e08a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c593e99f280f6df7e24602482f82d24f
SHA1 463a47ff30bacc5efbd2563773c4e932ba647a42
SHA256 39cd5b42b61f169fde28e8f330455b20058d3224a3701705454fcea01a55ae7b
SHA512 5cd64d8d9aa46169d1478e3743da212453e609e607fd2d83b255d4e364c43e4efa0986ddcd53c063d2f6acab3407e83ff81079f186d45abf656b1b850a73a3ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6dc3718e912c57e7ffcad85f8c5140cd
SHA1 22b8a35053cf1a0f90dc7a2c32e4185cb648d835
SHA256 c43f109a8e68619af6bb0a9edf3c516060b2e3180da8248e1f408f28ca88de41
SHA512 a29f5ee3c42b86c2a4dedd4801ea99a4c8e258ed9ea7c9f81859e5a4fee5ab5af2524d798270196b7a15ea18b8a7fe062a919fbbc805b6bb5723cab0952ea597

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e5b7bffad8d0619e2aeaafa6647a58f
SHA1 c2af74fb5b213b0c03834ba36cf74a5ec993dc44
SHA256 53fc0747c6643469dd73258fe2730a582cc255692d427b84f6cb9952ff062701
SHA512 d14daf5c1ea0cee07f4c8922c1d366ad11354c3f230892f682949c3fd242d4bf5b23e42e75e08349525bb8a93ea47d2d4c81acbe2f231ca6642b2c5c34af8d4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc6cceadc382654f7839f4773c8a00da
SHA1 0e84e1da2c86b1183aef26994235370593d1da0e
SHA256 2a8c95b6743155c4789c34b81a6aac9a1992024e620e48d7b7cf2b41f351a71f
SHA512 4bb22ba183871b97a9c79ad28192c5e4ff960ad64a6ee13be4cb8b388fd564e084375b80b94d194df0ace17e34b23f405f8de85750724c87933dc97405d27fd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e3c014d69c9958564f9f2b781218bfa
SHA1 366bf1f164bd90b9617f8ce2efdbd3a8cc1d5b8a
SHA256 69831fe8729c79a658eb54dc7944d2aee7c75fb5ccd7464208b4469da6fdbe0f
SHA512 561e1931bc430c934d72d13d1efa84b3ac9efe9eb988abc3ced5d7517d7b08492772c4d58da080494f2535ef05e3a3404bc4371a3a5afe53d7db56963b45d47a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e30e286014fe7059a85aa47323eaf891
SHA1 e1e2f4f727b17b33d44083b901507a6dd32d33ce
SHA256 e767cd22d1b7cf45c21a705e97f6b6424bb043ac29bd149085fb7a0b127a2c36
SHA512 00283ee00f450f804c137b18439f59b57c8d2c52f4ff376d3a9b16cea6abe6da41c5a93a5a6400418e6af2d129e9a69cc3334388cc7c7da29ba3bab32c701e4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7dcb65956230d7f7ff725b939c1fd6f
SHA1 bce7f10df9527c9714ecfb148acf1525570c5c15
SHA256 ac180c73ecbb7785f2b767086973f3d9ffa1e3778f21d2a9c8e7bfc96d904202
SHA512 cc0a0711a872996ea3bbfff8671b1eab906f77625da45c01e6140b57948621ebf9fbb4b864ad7f23a110f958b5e5a7d2e42061537ff15255a3e8c7d440283fa6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ad377b46e61538d377b59992b8f2437
SHA1 8a0ba4fc705cc2f15f1a9fa3245029d9f3c67fb9
SHA256 a3b43e85376062199a3e6acf89f17aa4115ab5c21081cb81ed1fb311a7ff6546
SHA512 b9577da5c0613b2ae84276de8ed5cccd6eca769e7c1dfb49aaf838d2080ebb704122b1a4f8580c616902c4ae636a07b286216e364f93e01894f2573ad84bae19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e24f44d9a5c20e5410added7efe37b2
SHA1 1229df90a42b458741e0498754a48fd8367efb08
SHA256 e06008f95b24bf71d33d8d24517d2d0a32ba84ed1808dc6943d2f49005f69519
SHA512 876f7288f8d14a3279093eec69f45f935d574dc660a3497117d8ccba3f894bcb7f49c44a71d04e957eccc437877899f8bf119dd4814422c35601f1bcbcfbd56a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45f41693a276fd06944b330bc9ff450d
SHA1 8931861503992452e623b2803bf20ee1e810161b
SHA256 f37ce8efdd2727b3673aec2db43595f6a207bfc07e58171b41cc4b033b096401
SHA512 7297ce4cbbf43093ebb163c00dad467cbf498be50682ec0cc142b317edb349cee339eb3bbad6310065debc311dec614778081d701271ba78899e91c01f273cab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 387b151c5c5d9a5a476afff79c32b4c5
SHA1 c9e8de8cccc4afb8a6a87b36e1f42c92869b63d7
SHA256 ec6f43dfd3bf2d526cc2003089b2385ea903f83cf97c027c878dfe117af884d0
SHA512 3effecc9cbc8ebf1a221aec5d3b464a25a0be0d58c2527953623b33c1d058f209efb1951efbf305b7dac61c698cef0c50b45f28d05c2263ab33456b13d51f4f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 816fcb7f968eaad635ae3952b41e3a0f
SHA1 3a029c60c198827e6950884015cbf119056457e3
SHA256 6f873c531132eac6fe7da53afee12eca9dfd6d9da3bac27e73a5d6eb314545f7
SHA512 95738610d055bc7c00cac94fc1f30f72b1e32896c217bb41a859e4d4f1251bd5515bf709ad59d3557e81b06fcbd05b04d04ec7ddedb3f5d91021fca81c44725c

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-07 17:49

Reported

2024-09-07 17:52

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\DATA\OS\OKOF.htm

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 2204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 2204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\DATA\OS\OKOF.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbeb746f8,0x7ffdbeb74708,0x7ffdbeb74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8194739942363902887,4697555713518501493,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e765f3d75e6b0e4a7119c8b14d47d8da
SHA1 cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512 a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

\??\pipe\LOCAL\crashpad_4656_FDSJTVCKFSCJKWPP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 53bc70ecb115bdbabe67620c416fe9b3
SHA1 af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256 b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512 cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d7171c29ff3b7b7f4a94fadc2f904f5f
SHA1 0658315293f246221609b97f97071b6b0230876f
SHA256 891dbfd4fdbd955d83bfa682d43f1f8ae8c0c8cbad7d7d0616a082f5cb577c1d
SHA512 39dce6bd7a95bd7b2a6eff52f2f243d8b139f23ab2bfb3535f905d870643c5b4bc90e037b5866eed8283b458df16d171e767cf40b969678e7cdbc555df7da808

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ac2ec5922d19ca36c8aaa6f3b38073a9
SHA1 55e65b5e78a534b892eaadc4db6c1d6a0848203a
SHA256 e94a2034eba5db8d4246f87fef0789572818927d63eefe68fc1a34867d023a4c
SHA512 9c7dbceec957d1c23dcb422920dcbfa4e0224b3a3edf19208b74ed88d568d55e87ddc5bccd0b5a6225a92aee6190d4c9f766c5377da594464b319b46a14bf120

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b309123d3c1d4d0f09b1d9f5e048c824
SHA1 24c714270d887c46caf243dcc0ecc5a369e34485
SHA256 bd2a322bb85a0d4d133c440daff281355a2dc6c93c1674e5ff22ddcaf8b7e046
SHA512 d6e7aab28c8afdc3cce55f5f26639b59215089f8791e5e2582e70c506be163ce7ef5d0002b35724614d3223c665410db4f7fa3130dba5fa7288f42d889c53712

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-07 17:49

Reported

2024-09-07 17:52

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3" C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_HDROP = "15" C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe" --restartInActiveSession --sess_id 1

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe

--justStart

Network

Country Destination Domain Proto
US 8.8.8.8:53 online.sbis.ru udp
RU 91.213.144.193:443 online.sbis.ru tcp
US 8.8.8.8:53 update.sbis.ru udp
RU 91.232.93.95:80 update.sbis.ru tcp
US 8.8.8.8:53 update-yar1.sbis.ru udp
RU 212.232.32.6:80 update-yar1.sbis.ru tcp
US 8.8.8.8:53 rhm-server.sbis.ru udp
US 8.8.8.8:53 rhm-server.saby.ru udp

Files

memory/2380-3-0x0000000000400000-0x0000000000BAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DATA\tv\tensorrh.log

MD5 01f1cf76991b9955172e9a6a4a5ce88d
SHA1 600e9972be5d4ffb5ead1efccbb193acb3dbc044
SHA256 73343b986e9e3737da5156e31c1a9e2dc4d3f0b96ab1f8e53fd36106a900dc3a
SHA512 2fcb8be9cc00599c81a419b7538adac08d5645440855786a4e1f98182b2976d0cbd000ba25b3eb2c2816d8622f6f85b4b0862f77ab7cb78a8af8599e6fb8f3e7

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 e387cc77168c0d2d8137dabcc00c87b4
SHA1 3100cc65bfd8613a74013321e130203432dd72bb
SHA256 eca85dbca5043e6e25cd03186a7bcc1e8f6e602504713d304e6bd092a5315af4
SHA512 81ccd571ecec58e1f9ca9e7278d585db2085f62a8c6bb37e887cfdb2ba95ed983c900307786b071ac979cd54bf10c3c8cfbee5b75ce76d411ae6f2f48a5b279d

memory/2492-11-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/2492-23-0x0000000001FE0000-0x000000000278B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 aeaccf91168be96e5492a4731d44804f
SHA1 79fea9b2b4eb1c330c74cbf37cf1c92f6af42f92
SHA256 bff684ae7651de1fab071a310188cb37db4c39482deefd1cbf5f61ec140b2e14
SHA512 f437b55a9e6cd2212d84a03c97ac7148a88b95131ba1028c91c44528e1286cb2469158da5d69335ab252623434e9744048895ae656caa12ce686d10085279bec

memory/2504-30-0x0000000000400000-0x0000000000BAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 35137be39ca6af91c0de439984082d13
SHA1 d8848e5defec72fc3b0eeac12a5c0897a9d1622e
SHA256 54e90eb158b0f144dcf0bdccba420bf3e4f08cbe81effe3a3a82fd6a8c13e0d5
SHA512 f70355aac60fad055da3ef9d609615f6185567a94a1ee53db413be556a0acc96004a5d77747677abb05ea50e0f2158dba55a5bd7512e73b35ce4f03a99469110

memory/2380-81-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/2492-82-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/2504-116-0x0000000000400000-0x0000000000BAB000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-07 17:49

Reported

2024-09-07 17:52

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3" C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_HDROP = "15" C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe" --restartInActiveSession --sess_id 1

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe

--justStart

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 online.sbis.ru udp
RU 91.213.144.193:443 online.sbis.ru tcp
US 8.8.8.8:53 193.144.213.91.in-addr.arpa udp
US 8.8.8.8:53 update.sbis.ru udp
RU 91.232.93.95:80 update.sbis.ru tcp
US 8.8.8.8:53 update-msk2.sbis.ru udp
RU 139.45.228.9:80 update-msk2.sbis.ru tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 95.93.232.91.in-addr.arpa udp
US 8.8.8.8:53 rhm-server.sbis.ru udp
US 8.8.8.8:53 rhm-server.saby.ru udp
US 8.8.8.8:53 9.228.45.139.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4228-0-0x0000000000400000-0x0000000000BAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DATA\tv\tensorrh.log

MD5 58b706d39ad557209d67e600afb60991
SHA1 1b0b3e121acfe0317fa9f73849b1cfd1f5b58c6b
SHA256 ecfd654684f5f458c2b5c0ac366dde78d77038efa8ff7c825512ec11db32beaa
SHA512 b735ce981f3cd064e08e419dca275ad096e367184a90ac002e6b3a9f9bf431e3db4a15488284f973a8f80ea62ef7dceaba48adf75ba682211b7f97a141b4615d

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 9b78982593419764071b527932de1fc5
SHA1 082ddfb720e9ad7c9b3a77f174cc8dbff6cd8841
SHA256 8ba0f47f47781f368cc44ab74f6f41e01be771d74e2b138e7f2ccaa709e1763a
SHA512 3b33ebbee07b6b7747eafc36d0d9dcd4ef35bef84f8a55d8974baacb580b5a509be21832fe242eecde8637558c020eb702128f830793ddb8a61a2bb75aa07f5c

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 28e2f791151516c54df6f718f186b47b
SHA1 7d49cace234f8dd852a488c2902a8b92bd491ef6
SHA256 98df6257049395d680d2ae731e15845ad8e7a1aa0c2e13bb50e2d75038bff5cc
SHA512 45ec286e3b417296c22429f2ed52975169c67aef203884d28b4245c55469e7b994b9cf2626a1ea948b09f2e7fa3644f0152667d7c84517d269a25a184bd43b7a

memory/1480-18-0x0000000000400000-0x0000000000BAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 ed0d762c86b0d3b4c758d5f54058cb6b
SHA1 1f411008cb4b08af77d6a55bb5f0a9cbc757799f
SHA256 0bbc36918ae9b18bb9d495601b29cc5ea4547a629bf8f5666b07a6926b4c347a
SHA512 ed30da60f902c2be741a352cb8254037bd7d3698ad080618cce8bec94032e3a16c9490053d48527e787a5e9f836fc456ba6898bbf5fc0c32a3dbea3e8baedc57

memory/4228-76-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/1480-77-0x0000000000400000-0x0000000000BAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

MD5 a95c4fe9d9f333d4ef3d8727028e0346
SHA1 e185772085ee8906157c1c04a209372d7eadecc9
SHA256 c6a99849ad8d5f1b5650b7dc018c2c538981729d6c85ea42df70a74883e24b91
SHA512 d0a8c53fb94bcdde735c2914e6eeaa54a17aa33649231a90666f2e9aeb8bc3fab7435ae1c295cc75c6815e06c8b9c716e0a22b54c4748763da24b08f1d8bce65

memory/2208-113-0x0000000000400000-0x0000000000BAB000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-07 17:49

Reported

2024-09-07 17:52

Platform

win7-20240903-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525337dace7b065eb36b C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14bbd271480b88921c3997c883e890fbe473b0911ae5f92336cefeba74e58be2589d9bb1c7f7ee63d80bec0a35c844869b8b8a655f034eed142b436c464e236937c5ee357999e6bdf7a157 C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe

"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 e4f7224ed356915816bebb715326d18a
SHA1 8b441bb4276212b9e774cba75fdbb723cb68af93
SHA256 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA512 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

C:\ProgramData\AMMYY\hr

MD5 933e29d75969ac0a77ed300582ee7661
SHA1 d751609311a253127518e815fcb834f7e2fa3ffe
SHA256 b2f9ba3156b4a61c4d4f678507c5625d13012a7babfd745a7fe1729250c8353d
SHA512 b8f2efa7c8868eb389740f6b463c792856815b8bc26055d77e3b0ddd21342b71005374e9aa8a52489c6a4009aaf4279c982ee5bb56c7a793bd15df9c85c5d3c5

C:\ProgramData\AMMYY\hr3

MD5 e1923a234173ddc1a93d462cf0fc6e1c
SHA1 6a442d823f5c9a5052e3ec7eb709490358129cbf
SHA256 f9de68a83b2d5666101e2a2ab580430401b382b66a2ccfcbad5926ad240a41b1
SHA512 18b332ebaa556c5fed798cd176f91ba782309823f90a7f0dbb48be71e93a8a61ed903d9d3f9b4dad2cde8ea5f55378f2e2e953de61497a5ca0e2c53afb7bd5fd