Analysis Overview
SHA256
7c4d18253a31342fcc83a7f7748ba843f6ee00bff18b9204a4e9c447919fc989
Threat Level: Known bad
The file grewgrwegrwgerg.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Program crash
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-26 08:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
144s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID\ = "PDFMVisio.PDFMVisio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\ = "PDFMaker for Visio 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID\ = "{551B31B1-4390-4f18-BE10-6841EF69DD51}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID\ = "{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID\ = "PDFMVisio.PDFMVisioCOMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1108 wrote to memory of 1920 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1108 wrote to memory of 1920 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1108 wrote to memory of 1920 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3776 wrote to memory of 4324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3776 wrote to memory of 4324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3776 wrote to memory of 4324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acroiefavstub.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\acroiefavstub.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
159s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 372 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 372 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 372 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PDFMLotus_Lcppn.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PDFMLotus_Lcppn.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
98s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 4320 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2360 wrote to memory of 4320 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2360 wrote to memory of 4320 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PDFMLotus_PDFMLotusNotes.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\PDFMLotus_PDFMLotusNotes.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2716 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2124 wrote to memory of 2716 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2124 wrote to memory of 2716 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PDFMProject.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\PDFMProject.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\ = "PDFMaker for Visio 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID\ = "PDFMVisio.PDFMVisio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID\ = "PDFMVisio.PDFMVisioCOMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID\ = "{551B31B1-4390-4f18-BE10-6841EF69DD51}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID\ = "{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3872 wrote to memory of 4172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3872 wrote to memory of 4172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3872 wrote to memory of 4172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acrobatacadicribbon.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3832 wrote to memory of 3096 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3832 wrote to memory of 3096 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3832 wrote to memory of 3096 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acroiefavclient.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\acroiefavclient.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3396 created 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe | C:\Windows\system32\sihost.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe"
C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe
C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/5068-1-0x00007FF8E0023000-0x00007FF8E0025000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gcreapof.s03.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5068-11-0x0000013C48CF0000-0x0000013C48D12000-memory.dmp
memory/5068-12-0x00007FF8E0020000-0x00007FF8E0AE1000-memory.dmp
memory/5068-13-0x00007FF8E0020000-0x00007FF8E0AE1000-memory.dmp
memory/5068-16-0x00007FF8E0020000-0x00007FF8E0AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cXss7e4fwO.exe
| MD5 | ec96e65299b7639d4aa60dd315acad80 |
| SHA1 | 7196b8eb744f769810b390c02371872d11c33bbd |
| SHA256 | c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529 |
| SHA512 | db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883 |
memory/3396-21-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/3396-23-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/3396-26-0x0000000003700000-0x0000000003B00000-memory.dmp
memory/3396-27-0x0000000003700000-0x0000000003B00000-memory.dmp
memory/3396-28-0x00007FF8FDF30000-0x00007FF8FE125000-memory.dmp
memory/3396-30-0x0000000075980000-0x0000000075B95000-memory.dmp
memory/2260-31-0x0000000000940000-0x0000000000949000-memory.dmp
memory/3396-33-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/2260-35-0x00007FF8FDF30000-0x00007FF8FE125000-memory.dmp
memory/2260-34-0x0000000002800000-0x0000000002C00000-memory.dmp
memory/2260-37-0x0000000075980000-0x0000000075B95000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RUNFILEX.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/2368-0-0x00007FF837803000-0x00007FF837805000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pk24bxep.4bs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2368-6-0x000002DA32AE0000-0x000002DA32B02000-memory.dmp
memory/2368-11-0x00007FF837800000-0x00007FF8382C1000-memory.dmp
memory/2368-12-0x00007FF837800000-0x00007FF8382C1000-memory.dmp
memory/2368-13-0x00007FF837800000-0x00007FF8382C1000-memory.dmp
memory/2368-16-0x00007FF837800000-0x00007FF8382C1000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SelectPageRange.FramerControl\CLSID\ = "{00460182-9E5E-11d5-B7C8-B8269041DD57}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SelectPageRange.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ = "_DFramerCtlEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\ = "{00460180-9E5E-11D5-B7C8-B8269041DD57}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\TypeLib\ = "{00460180-9E5E-11d5-B7C8-B8269041DD57}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats\GetSet\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SelectPageRange.FramerControl\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\Version = "15.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\Version\ = "21.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\ = "{00460180-9E5E-11D5-B7C8-B8269041DD57}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\ = "{00460180-9E5E-11D5-B7C8-B8269041DD57}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\Version = "15.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\Version = "15.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\ = "{00460180-9E5E-11D5-B7C8-B8269041DD57}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\Version = "15.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats\GetSet\0\ = "3,1,32,1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ProgID\ = "SelectPageRange.FramerControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SelectPageRange.FramerControl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ = "_DFramerCtlEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\MiscStatus\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ = "_FramerControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SelectPageRange.dll,102" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\ = "Select Page Range ActiveX Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\15.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ = "Select Page Range Control Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ = "_FramerControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SelectPageRange.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats\GetSet | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SelectPageRange.FramerControl\ = "Select Page Range ActiveX Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 3740 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4852 wrote to memory of 3740 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4852 wrote to memory of 3740 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\SelectPageRange.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\SelectPageRange.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acrobatacadicribbon.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PaperCapture.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4780 wrote to memory of 3932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4780 wrote to memory of 3932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4780 wrote to memory of 3932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PDFMLotus_ndbPDFML.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PDFMLotus_ndbPDFML.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID\ = "PDFMVisio.PDFMVisio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\ = "PDFMaker for Visio 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID\ = "{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID\ = "{551B31B1-4390-4f18-BE10-6841EF69DD51}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID\ = "PDFMVisio.PDFMVisioCOMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 5004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 5004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2192 wrote to memory of 5004 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
160s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ = "PDFMaker for Visio COMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID\ = "{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\ = "PDFMaker for Visio 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ = "PDFMaker for Visio object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\ProgID\ = "PDFMVisio.PDFMVisio" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ = "IPDFMVisioCreationStatusEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\TypeLib\ = "{F05F6A50-665F-49F2-ABA1-56125C9B552B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFMVisio.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisioCOMAddin\CLSID\ = "{551B31B1-4390-4f18-BE10-6841EF69DD51}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F05F6A50-665F-49F2-ABA1-56125C9B552B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PDFMVisio.PDFMVisio | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{551B31B1-4390-4f18-BE10-6841EF69DD51}\ProgID\ = "PDFMVisio.PDFMVisioCOMAddin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6510ABA2-8298-4201-945B-2E64F5AA45B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D2D9B28-0B05-4b9d-B3EA-9FB1B9180E53} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5124 wrote to memory of 6000 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5124 wrote to memory of 6000 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5124 wrote to memory of 6000 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\PDFMVisio.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acrobatacadicribbon.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acrobatacadicribbon.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acroiefavclient.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
127s
Max time network
132s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3868 created 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe | C:\Windows\system32\sihost.exe |
| PID 716 created 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe | C:\Windows\system32\sihost.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718143500675132" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\grewgrwegrwgerg.zip
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8124dcc40,0x7ff8124dcc4c,0x7ff8124dcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2236,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2348 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3332,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3740 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5160 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4280 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4404,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4704 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5448,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5184,i,13709406986970266535,3748374610422380111,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5808 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2868:88:7zEvent2325
C:\Users\Admin\Desktop\launcher.exe
"C:\Users\Admin\Desktop\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe"
C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe
C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Users\Admin\Desktop\launcher.exe
"C:\Users\Admin\Desktop\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe"
C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe
C:\Users\Admin\AppData\Local\Temp\zVitkHBf7X.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.228:443 | www.google.com | tcp |
| GB | 142.250.187.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.46:443 | apis.google.com | tcp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 206.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tinyurl.com | udp |
| US | 104.18.111.161:443 | tinyurl.com | tcp |
| US | 104.18.111.161:443 | tinyurl.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 161.111.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chrome.google.com | udp |
| GB | 216.58.212.206:443 | chrome.google.com | tcp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
Files
\??\pipe\crashpad_4628_CRTCHKTXEKTWDVAC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | e52c18e6a7e441538f6851a1fa240580 |
| SHA1 | 97858d0834d241f7369c3ec7f9affd2e804d8409 |
| SHA256 | 42918e3f73b2fb31a83e9cf0ab4628a13ea62dba52436acc46967abedd710c80 |
| SHA512 | 225496ee8a47339de06664c2ff7afc18d2763170903f824914cbddcd9df87c20853474c4937982e93c702715c6ae5bcf0e09f93b84c94439fc4321c781036512 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 089c9b17d1b1f212486ac9d19cb8f324 |
| SHA1 | 941e8e84dd24df67bcb139e81a921904d2a366bb |
| SHA256 | d767f6aec7f9c43b1623adfb252b63038bfc65d773b78ebd3e39aedb1b65f6db |
| SHA512 | f49ec5554836ac60dd86fcdb9d6f125d00dbd02da78f5164d510bc552e5ee7fb877542502b34ae09002508dcb3f9ce44a4963a073afcce35ade6e3b353da3d43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9fc3af864568f9f7e9816f70d7895dbf |
| SHA1 | a9a356b551158986f67af0f010e30f57c2f6572d |
| SHA256 | 02f0b2cb48f9314db462462d6e0dee6188ed00a664c1708d19baefa09a7993f8 |
| SHA512 | 24ec23337c563009121205959d9f3624661231e5ef302ea73b260bbb3392f94fc8e7b0ffceba2ca40790b8a7ba0962e79557766a781b0ba20488f6318db42a85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0ce715b8475784e2d0ed53555c31636b |
| SHA1 | a39856745dcb976002211186c2019d7ffa425788 |
| SHA256 | 81023937303dc562ebf3527e867c91ef3d4f532a84cbca4bae14b8c5eacd2341 |
| SHA512 | d79c812f5a9dd627d0affa1a29e0f68bfff3acf58d06521b5847901568382c58817b62fc9801e27e127fd7f2983e44b565406e5f0165c7f1d8eb79d7cd3733c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 57d3ea65c57ca16a50d9c202bad8c79d |
| SHA1 | a04f873749234ec967e66d018d0892b53fd1877d |
| SHA256 | 9f1280d91c0e8a0689adf195a43f9ad3e475974c81f2e4dcc72890b1e57a369a |
| SHA512 | 22708098df6fded16a3e9493922fcbc1c6f36ff83bcead4a9e989eed9834d028b6983b877383e68a1d9d73bd5410022184a4308536e4a5143bb022ac38ab3c16 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a121f00fe3c2eadcf070ac8c84876a26 |
| SHA1 | 00761089da24b1fd0437345f217770e59eade3d8 |
| SHA256 | 911eeab93c6852094b02ed95c4677f3ffa25d796a2ac37ebef175dda37d8cb42 |
| SHA512 | 4d84f4b79d3a59d655d9e3431c34df7cc02df792ee9453309af056306b7f5f65363d8585f623dd1c5f157ecbeaa64bcb5759e8e232fb9aba5a167e06d50a35af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 370ba33b577957a448e354274e2c3b63 |
| SHA1 | c79081f870c2dab4cb464dca622ec5765d1429a9 |
| SHA256 | 02eeea442e73f619ec5e3ee871fba91df7900915cf2abffffd0b04c3efbbb462 |
| SHA512 | f11370dad2989b1473fef5bb07fa848de636bd1947296ff2f30dadf041e4904dcb5edd2b1589936b5e5499d974faf16031d94a2be9f377cc1823a769f55b500d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 422d8b7646caa30d514013e62a3bc437 |
| SHA1 | 13b263789f1cd854df8ad7ecdd8679b8862b58dc |
| SHA256 | ee95440df2bcfe6a0408ca2fb5465491ca658accf239fde08db5b41ce38190f4 |
| SHA512 | 2d7a175358606637c054dc80f423e928ccaf5edd1de95fa1000102869c137ccfa11d9739771011152a933f14f824f490358e7eaee0a99461d54b8c0f9f7a2ce1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 029d4f9374edf28fe59746f363fd3bfe |
| SHA1 | 0cc03e98dedcc07e02b01faf40519fb30ab0aba4 |
| SHA256 | de7c2015c05712dfef9928274bc891ff0c4160c81cc72e107ae0cadb51f1c95c |
| SHA512 | 30de46a5a3a0bc3b8e95131e773003472b72538ff5a2ada2e08911c88efed7ef7d0b99dfdc6cdb36b4f4b852441a8653530131698a464437d16edfebac981273 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f9783124a89dbab1d87daad8923f2db2 |
| SHA1 | 7ea527aa010298aa40b5b84e9700977f7f1a8033 |
| SHA256 | 139248083feb2e539a4718f5b25639e947f8e3d2d43051e5098f3204ab8f5751 |
| SHA512 | 9cb4716881f880e4594fffa755ccd46e78cff6366d9e721a37600c2556a62931b672b7b6c50519b6c804f5a7221a539305c9638c10d0390c5b3a749b7a01691e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6d78e914c524192bee30f1c205094fd1 |
| SHA1 | 9c2228a765eed344c6eae7b151efee4dd07b3c8a |
| SHA256 | 4898b04d7e683aa38c2798f8fdf4bbc1165759dae797d7baa343d4fc35947e04 |
| SHA512 | d3ba00511583a8f10235ad11022666fa61e7e9fff608aa5c03917eb76d7ce582af298948166987cc63829621cc98a972da075a0aaf4733ec144cd0670d4e71e7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e615c9d91b5dfe42ed3b40e8ff218ba1 |
| SHA1 | 681a67bc2688070397f93ec97aff567867699e16 |
| SHA256 | be744ef3a6eed642ae950c4e5602b91e4eb49c83f309cbb0f6a4385b3254f0ee |
| SHA512 | ce9e680e96f9ce48c7c81e74c4485832e6ec4505dd933094cedde78d03e79a1a93f79ea35574614c78db9ab491eb8251605c3bbccaf34e25b05a2d7aa83834cc |
C:\Users\Admin\Desktop\launcher.exe
| MD5 | d4eca6136281d617dcfac5bae3349e70 |
| SHA1 | c6941cd9df4f7db4bdf6bd163869016a2520d644 |
| SHA256 | 0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6 |
| SHA512 | a17b7bc6985304008649b8b6a009f675b3570e14a39e0073ea6cd00dca5ffecc0acedcc67f9c250e35b09d3c941540e74b338795f1cff12172c137d525afeb8a |
memory/3304-149-0x00000210FE020000-0x00000210FE042000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ib1baae.fys.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\nq5v9DfNCB.exe
| MD5 | ec96e65299b7639d4aa60dd315acad80 |
| SHA1 | 7196b8eb744f769810b390c02371872d11c33bbd |
| SHA256 | c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529 |
| SHA512 | db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883 |
memory/3868-165-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/3868-167-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/3868-170-0x00000000036A0000-0x0000000003AA0000-memory.dmp
memory/3868-171-0x00000000036A0000-0x0000000003AA0000-memory.dmp
memory/3868-172-0x00007FF823C10000-0x00007FF823E05000-memory.dmp
memory/3868-174-0x0000000077780000-0x0000000077995000-memory.dmp
memory/3740-175-0x0000000000C50000-0x0000000000C59000-memory.dmp
memory/3868-176-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/3740-178-0x0000000002780000-0x0000000002B80000-memory.dmp
memory/3740-179-0x00007FF823C10000-0x00007FF823E05000-memory.dmp
memory/3740-181-0x0000000077780000-0x0000000077995000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f7ac99df5f8ab62889d6433e61653c26 |
| SHA1 | b9ebe3d5ec3128823e14d056e25c2b2bc79a4ea5 |
| SHA256 | bed639ea1ea2298025cbe311d2ef205001549003fc4c23912d1fccfe53046e31 |
| SHA512 | 40727b696e5021b1ab8eebf2a4867102971e8c006b998055eff1a2f19b7ce8aacc4229ff41acb052be08b710300799bc77fcf0682290388ac3342382c67af82e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2979eabc783eaca50de7be23dd4eafcf |
| SHA1 | d709ce5f3a06b7958a67e20870bfd95b83cad2ea |
| SHA256 | 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903 |
| SHA512 | 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2d40b0513407a52b907f8e1709ae4d91 |
| SHA1 | 583d434e3759789c1e561a60c9d8d5965af532d4 |
| SHA256 | 3000a60b956b80b5f878b60b48d10677d5c6ff3c3edf7020b3c92eec488228b4 |
| SHA512 | 85f5acffbd26288868f40f3b1a199209e10fac1c1be41a10ff2148010cd57006eb911922fc34da970a7f09612ef35cc63e808dd5d58f775411a39e3dae9383e6 |
memory/716-219-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/716-223-0x0000000003640000-0x0000000003A40000-memory.dmp
memory/716-226-0x0000000077780000-0x0000000077995000-memory.dmp
memory/716-228-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/716-224-0x00007FF823C10000-0x00007FF823E05000-memory.dmp
memory/512-230-0x0000000002A30000-0x0000000002E30000-memory.dmp
memory/512-233-0x0000000077780000-0x0000000077995000-memory.dmp
memory/512-231-0x00007FF823C10000-0x00007FF823E05000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e8cb944eccf30a164cbea5cfe0fa6c49 |
| SHA1 | 92c6d83e568ec7d4f24223d8d7d440029156500f |
| SHA256 | 9e62e7f43ab44f628be7c4e0c00bda1fcb0624c51716f681df13e79586c38183 |
| SHA512 | 46a978932db487b381aeba7bce6019d3d5b2e7ac009eddfc9ba50b32bf835bda388f5d4055c3d3eb3ac2620142a03f045f26c1b047c3f2ca617c56c2368640c3 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
118s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acrobatacadicribbon.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
146s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PDFMRKEX.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4488-0-0x00007FF9204C3000-0x00007FF9204C5000-memory.dmp
memory/4488-10-0x0000028CF50A0000-0x0000028CF50C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4oidbtgc.ftc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4488-11-0x00007FF9204C0000-0x00007FF920F81000-memory.dmp
memory/4488-12-0x00007FF9204C0000-0x00007FF920F81000-memory.dmp
memory/4488-13-0x00007FF9204C0000-0x00007FF920F81000-memory.dmp
memory/4488-16-0x00007FF9204C0000-0x00007FF920F81000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-09-26 08:49
Reported
2024-09-26 08:54
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acrobatacadic.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |