Malware Analysis Report

2024-10-24 21:03

Sample ID 240912-ek6tfszgpa
Target Solarًa.zip
SHA256 6a2cd69f4b8230fb9398bbaeca90ad5aef1089f4d8fcbc7ac571d4eb63b4c4c6
Tags
discovery cryptone packer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6a2cd69f4b8230fb9398bbaeca90ad5aef1089f4d8fcbc7ac571d4eb63b4c4c6

Threat Level: Likely malicious

The file Solarًa.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery cryptone packer

CryptOne packer

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 04:01

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\am.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\am.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bg.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bg.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\bg.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\bg.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c1ccf185bb99974bb3604823e94b8fc6
SHA1 dee7b7c5afd50f4fc8381a49e6e989303744de95
SHA256 418cfe135cb792b021134eb8e14b8c9e789f9b43f2c78d44ba229872388c9d92
SHA512 af5c851dbfb92b095895303f9550ea36682ee8a866fe240b9f38a414491dafb9894b49a0de49bb7257b85973786d5a0c7ef9d555121239bb9fc945d16c39811f

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ca.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ca.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2ddee545971162f7f01961e331e37654
SHA1 a484057634557cfe3c6f7d1a6f86938327bf103e
SHA256 f4c32f480a5a18a217b64faed46a81eda2e22fee6e30bd5450a8b3eaa8874a1e
SHA512 3e5084f03ed78ca00591d9504b719c6175b9aa7e3bb3668c0ce999ae122247168a7f83e671826a632d55064d9948734fb12a22922f5c5cda77efb23cc308241c

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

123s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\cs.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\da.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\da.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

130s

Max time network

133s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ar.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ar.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bn.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bn.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\bn.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\bn.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e6bd97861191e421c0162a443526a7b7
SHA1 f551959402cc99b26a607f5cf231233bfcee8daa
SHA256 16f8ccebedc353cfb50207e4246bcfa893878602d2b80b37fd80aca2a283e2c7
SHA512 f955f453b25f1d2b9eb1e2fbe3fb5621a9c553d70ccb933158bc6678e5c549c90ce2080cc635cfc5c6d628780b6397836e2e7dc39e2d03717c49140b55d37529

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ca.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ca.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\ca.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\ca.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c7b370d09c57e327fc71c252bb203172
SHA1 5b2fc4a2b661087722bc63d3a2cc2b6b05e34c5c
SHA256 c29c94c8ef09b74e626c45fd86fc1a1e0cf3a5e2d53fe6a710caa9d8d5b65120
SHA512 c49f2a92b7d35f5bdb17d4b9eb8523f40c76f0529dbff7591f1dd1391d60c8e19e341537bd692733bc600a352ed792f1740800f567589b81123c9b3afaba7d0b

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\de.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\de.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

141s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f2d37e22c93076a1e265dddd559748c8
SHA1 ea65e6f14ebfbfa5051bd636cee2effd25b6a3d9
SHA256 6c2018aaba9c67a1754ace840787d40dc2276893a3b761b7fde138ac8c51551f
SHA512 07e1c41565f2b8502d0e2760420e9c3086fc0ad00da496d57f17c525dadb9816cf3ed15f7ac518f29ea23c73966e3eb1c17d8c0daf232279545e7e74ab791f3b

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\am.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\am.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\am.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\am.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 db54588ed771244b54278a3bf659ec32
SHA1 082b5f225edc773f310b500e55c9dcbdd56ff0f7
SHA256 b08543fee29eb90f63332d4be27c9c87656bc41c091b9c917d1764666f016f90
SHA512 54aca6338ab0d7c1aeef59f862543ffad13fd5f9d2d6cee37ac834e75fde44a805ca672ea93b7a92ffcb2f1864e02618f3994cb3eb86707ee5f341a21fcbc790

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\da.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\da.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\da.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\da.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a4e1e54a3ac027fad0ca94201d87db1d
SHA1 ec79ba8052736fef978f458e74892e75aa2c8cb9
SHA256 bd6ab9f7e6698f65aabdfb85e00e272bf184eb6b62a5c7fd83aa695b9caa7ea0
SHA512 d3d54bb3c4b843029176727f80563d315673636dd5c4f104db6129b36ba82d40750434ea50ab9ec4638ec6591d972a8ae54f0f3d8384b7ae844d59787d79f349

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test.lua

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\lua_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.lua C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\lua_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\lua_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\lua_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.lua\ = "lua_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\lua_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test.lua

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test.lua

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test.lua"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0fdcece1a9c37ef45fa42e037ec12bb7
SHA1 4f2bfaee4567663276713156b57187b59f8e369c
SHA256 6031d1d1037e3d0a944ec7b67ec3318a36f5bb65b3bc5d3a5ee440d2bf011b4c
SHA512 ba0209fe5c3b02dc230b8b6030c32ba217ecd00cfc98b77f1cad2d67a8ef57c240539929906b3d91bdd8c991979a19aa57c3e0f2948695b104c1c0fc430698ea

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test2.lua

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\lua_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.lua C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.lua\ = "lua_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\lua_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\lua_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\lua_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\lua_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test2.lua

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test2.lua

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test2.lua"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ef5fefcf72d7099547fb8dd4aa820011
SHA1 5dd4c382c043beb0f0327bb6b035b28a065c5a00
SHA256 e449e95f6f317a548f1eafe1f03c5a6b55747f6e9d7bae9321260ac91688b7ae
SHA512 3ae6f45c39ba3451f6b5151edf4e64670026cacdf6ed424c917beae616264264732d0aeab4fa6d8ad22c2cada4d23e68bf97bdf21ede43d7e4321cfc23cc3b0e

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

96s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solarًa.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solarًa.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test2.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test2.lua

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

102s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bg.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bg.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

96s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bn.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\bn.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\el.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\el.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\el.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\el.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 af46e1c22a39c698c2ec302ab2697b16
SHA1 9206b1afe46363aa1c7bf76513083e310eeca671
SHA256 5da179a646c511f9099ea6214ffc773d39cb7ff220ba3050e2c699b771438faf
SHA512 fe6ce062f87c5522f6cac4b78cda13382b5db3014230418b9d5a05c25d86c5e23a949a0016dfbf1769ce4a5af1226a2874a4178f3e1147c4c6307ad6ce90bb87

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

123s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\autoexec\test.lua

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240708-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-GB.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-GB.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-GB.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-GB.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f18f1634dfb711db2c3d6ce4c27a8917
SHA1 326c01d41cc69a1c941f09d09c1e087cfc9d2602
SHA256 864a04808bb3c54bde8204b55718a8689bd656c95ce9c40433762b04ceed6b78
SHA512 fd0e4b24e7fd62f906154852118d437f3487d0def0769ec8007832d292ba5984044cec1c528fa88f8788171e51cee7da962758c055c815f37fcee75d32b9d120

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-US.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-US.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-US.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-US.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5a0b36199a8d3881e74fe37c0ae7707c
SHA1 9e714fe828dfc1f2e7d198c5dba696edeff15bb6
SHA256 aecd524373d8188759c099e29e60b487e5eb43035dd2badd2922c5730232c8de
SHA512 512713ad10cfc26bc0b6f10559b96c7fd403c4bb05271bd3a5b4945e84be4338d5a3688612aa65680d2c0e61a171a14dc9469e51b9ea7442a3970b5f8aacd256

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-US.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-US.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ar.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\ar.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\ar.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\ar.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 595457240abbcb32bfb3e3fe4dcb4727
SHA1 31993f90793ae96579d466b8b512d07c89ef0093
SHA256 4e6103c5ad1b8340875c2e6e953f4de487bef8b9a918be7b599a7c51eb0f4d85
SHA512 0ccf419ab512c5b947113555712ac57f333cd7b929ac3030426060d064530262d3a11101f2c9a1614b5caa41a93908ae4c7cf37a19df79e5f359ead427668bb9

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\el.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\el.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-GB.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\en-GB.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solarًa.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solarًa.zip

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\de.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\de.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\de.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\de.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 1c9bdd40f20883484c7b018e8a872429
SHA1 a98035c7ed4fd9d2e0b41cfa05c40ec4d09029be
SHA256 082b553a718a9b444f46e4bdd676006af9d7e5516dbb552401d06a7c8da7c8d9
SHA512 7845e20d82473a2780ecc24bd6226faeecf19568456615f05f7b3fb52846d098fa23904fabc6782908cd9e1dded20012677768a81e5054e1a171d58072e83e37

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-12 04:00

Reported

2024-09-12 04:04

Platform

win7-20240903-en

Max time kernel

122s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 70b817b7e0b4c858e20b60d9cf3c76fd
SHA1 3e4d579a588c7df52d9029cab5706ca486dc40e6
SHA256 0d936df0ccc783ba06dbe0d564df23fff0b142531819efaf2fbd901a67bc6d19
SHA512 485e3a760aa1cd8d81286113dfa4887ced1af14e7e59891dc45896242db1025a581aed49cb4de122ae673381945183b559addc265d8618a267a8929f4cdb2b58