Malware Analysis Report

2025-05-06 00:41

Sample ID 241109-1heg3svrhp
Target Release.zip
SHA256 89af23ff21360079b2ee8011aa959c1b4baf7ab09522e74980a6d86c2aa868dd
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

89af23ff21360079b2ee8011aa959c1b4baf7ab09522e74980a6d86c2aa868dd

Threat Level: Shows suspicious behavior

The file Release.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

143s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\index.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 3188 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 4580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 4580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 740 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\index.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff869e46f8,0x7fff869e4708,0x7fff869e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1022173400953991426,11301057038565339376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3004 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

\??\pipe\LOCAL\crashpad_740_SXSVSXDNLMAVRJWM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8a40ef9e-8265-47d4-bda2-2dcaa3cd2520.tmp

MD5 5b3e3943bcdf8549f98174a2c3042098
SHA1 f1fca2cb3fdf5ebabedaca60ed17986b0734ad08
SHA256 b6b63796ba5b2c2a630ee288413b372029b1f3df119c6c1e150617cd354828fa
SHA512 035064698fa874280b2a2fee854f717fc47878733f0bf977e3d9b6369f199e9e2fdc818966311f170394ed3652bd3744e6d467dfec10fc9f1f42bc045c6efffb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5c5a4025279f02dc24b2aaaed98bf008
SHA1 22dce694343618d2de6ec6cade1570fccb6dc413
SHA256 759b53130456f1cd2d189a140ffa88fda07eb22d07d5a36196c87f810f075285
SHA512 c567f121416adad7b87a958b2425b029275ef54579b4434a6f7d1fb23d18c754b1caa1369bdb6c0a849b387b6b382485258fd42f6b8e5cfeb6b2ea5c945d39ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 96615d467fcfea46b1961dab563bf08c
SHA1 b0b4ba57953216d2c8bfc5115400127383e3f4cc
SHA256 66a3bd879fec100039eafd101ad606f2b91f7a568d15c989d32e303951f60905
SHA512 8435f0f73bfd4adb6e20e89d26c530200a16965a8ed7cfd26ef77ae1d8d9ce2354412dca935682530bdd63826128562f6b0e1db70a94d53b19cd48e199425b92

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A
N/A N/A C:\Users\Admin\Downloads\loader3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe C:\Users\Admin\Downloads\loader3.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\symbols\8a7acf8a27881ad9887fc425cd6c5f95.pdb C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\bjtw76.sys C:\Users\Admin\Downloads\loader3.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe C:\Users\Admin\Downloads\loader3.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\symbols\8a7acf8a27881ad9887fc425cd6c5f95.pdb C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\bjtw76.sys C:\Users\Admin\Downloads\loader3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 408 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 408 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 408 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 408 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 408 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 408 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 408 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 408 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4776 wrote to memory of 460 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 460 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 3484 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 3484 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 4660 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 4660 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 1428 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 1428 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 2240 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 2240 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 1968 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 1968 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 4528 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 4528 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 3016 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 3016 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe
PID 3016 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe
PID 2236 wrote to memory of 4964 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4964 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4964 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4964 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4964 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4964 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4964 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4964 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2236 wrote to memory of 4344 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4344 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4904 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4904 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 1396 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 1396 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2944 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2944 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 752 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 752 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4532 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4532 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4504 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4504 N/A C:\Users\Admin\Downloads\loader3.exe C:\Windows\system32\cmd.exe
PID 4504 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe
PID 4504 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\emu\KeyAuthEmulator.exe

"C:\Users\Admin\Downloads\emu\KeyAuthEmulator.exe"

C:\Users\Admin\Downloads\loader3.exe

"C:\Users\Admin\Downloads\loader3.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cd C:\Program Files\Windows NT\Accessories\en-US\ && 8c9zrj.exe bjtw76.sys >nul 2>&1

C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe

8c9zrj.exe bjtw76.sys

C:\Users\Admin\Downloads\loader3.exe

"C:\Users\Admin\Downloads\loader3.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cd C:\Program Files\Windows NT\Accessories\en-US\ && 8c9zrj.exe bjtw76.sys >nul 2>&1

C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe

8c9zrj.exe bjtw76.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
N/A 127.0.0.1:61201 tcp
N/A 127.0.0.1:61203 tcp
N/A 127.0.0.1:61207 tcp
N/A 127.0.0.1:61209 tcp
N/A 127.0.0.1:61212 tcp
N/A 127.0.0.1:61214 tcp
N/A 127.0.0.1:61218 tcp
N/A 127.0.0.1:61220 tcp
N/A 127.0.0.1:61223 tcp
N/A 127.0.0.1:61225 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
N/A 127.0.0.1:61230 tcp
N/A 127.0.0.1:61232 tcp
N/A 127.0.0.1:61236 tcp
N/A 127.0.0.1:61238 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 vsblobprodscussu5shard84.blob.core.windows.net udp
US 8.8.8.8:53 219.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.150.79.68:443 vsblobprodscussu5shard84.blob.core.windows.net tcp
US 8.8.8.8:53 68.79.150.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 127.0.0.1:61264 tcp
N/A 127.0.0.1:61266 tcp
N/A 127.0.0.1:61269 tcp
N/A 127.0.0.1:61271 tcp
N/A 127.0.0.1:61274 tcp
N/A 127.0.0.1:61276 tcp
N/A 127.0.0.1:61279 tcp
N/A 127.0.0.1:61281 tcp
N/A 127.0.0.1:61284 tcp
N/A 127.0.0.1:61286 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
N/A 127.0.0.1:61289 tcp
N/A 127.0.0.1:61291 tcp
N/A 127.0.0.1:61294 tcp
N/A 127.0.0.1:61296 tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard84.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard84.blob.core.windows.net tcp
US 8.8.8.8:53 228.38.150.20.in-addr.arpa udp

Files

C:\Users\Admin\Downloads\emu\KeyAuthEmulator.exe

MD5 cf78d5995312872c075ae9772a14a5a2
SHA1 1de6c53b6acad6140567693f0fff7379826477a5
SHA256 71fede3d07f8b24d08e15748abcd95abcfe48e21a5a71f0c96d6bf752c12252c
SHA512 d4ca332800195a3a1c0dbe7c1669d91e23f5ad68c491589c8168b0040114fb761672778c39f092e8909133a1027e25e836f3951e17cffbc20e5fe5e271b0d845

C:\Users\Admin\Downloads\emu\KeyAuthEmulator.runtimeconfig.json

MD5 9fcdf880f73e74cf6347f8194b9f3509
SHA1 ab571c7ed4920129c89c7e083f3c9f22597198bc
SHA256 162d81f468bec570ec15e527433f4de5d5729ffe338ab79b22671f38760d34bd
SHA512 23ea2a78914aeec443bded1e6dddb1fce61f0445c53e0428e97353dcc25e9ee80a98603069de336d57c1d12b00eb14ad59847137387df330a3925bd763f4fde1

C:\Users\Admin\Downloads\emu\KeyAuthEmulator.deps.json

MD5 47306d1fc832c57ab35f197f48e05864
SHA1 3606f87598d00701916d8ea63fb1b118cf47a418
SHA256 98150b82cbb9f35dc99daa5116d9eae18adf22c11cbe245e1822ff42a254d624
SHA512 cd0465b45c49d95bcf1c395d2d90fad37fcc53a7969afa3059d49abbc30d90732471398b4efc6b52fcb4b0f0878a01b3a5bf6d19fead1f18331b2fb63b118a2b

C:\Users\Admin\Downloads\emu\KeyAuthEmulator.dll

MD5 4451edb88fdb64579dbc30f0d7d1c855
SHA1 9869832cb3d088edde91ffdb62aed911e8f6fe6f
SHA256 5a476075a4fc6125c28cdb14e3a71af4f5a62f8e54ded8b610898ef81fc9721b
SHA512 155e6ab88d527bd28902b14f335af9ec667574f56898f8d3757ada9354d3817317df201484ecf2c5c1c4569c5995bf620adc9ce65e889556cbb4410eb344ee7d

C:\Users\Admin\Downloads\loader3.exe

MD5 c1afc5729255d68bf6f7ac02e43935dc
SHA1 ca62f75238efa0daf3521e2df1a44fc6a7784315
SHA256 6cdb812daba9157f3c51ebdda2b38268f32c7ca4048e7c4364c5b354a32a0ba0
SHA512 476a301a51893a79c1916ab9f45c0d45c89e8b3e81bf8108c6ac305fc602be2c720ad6cc88393b300824895d30add2454afbe4d7e1a282510e0430f4973f9fe0

C:\Users\Admin\Downloads\emu\secret.txt

MD5 e8365894de54b276c0d2f3b1f3d4eed7
SHA1 ab75f9e802ba138fdcc5ea5b76de26d12415b1b4
SHA256 f7db4f7979ab418b7c01c16de9bc2041a674afb89daa051712360244decd5763
SHA512 cd54e2857a2873a4f56456bad22f260915a3e7dcfc5e90009a0c489f6e1762ba25a9cbb2f5cc900504c3b11c80602cacebf542ecc6e8b9b6dc6fb0377ff6c597

C:\Users\Admin\Downloads\emu\675606

MD5 1601dd52ad1b2650ad43b8a9b204d360
SHA1 728f636af02e422bf87001e6b685d4293b725871
SHA256 a816e84471064911c79f247bbc79cb126e97065aaf766015669cf3fcde9dd7c4
SHA512 19caf163f7a0e11f3e8f85ed8b3b488a9e078add7fd01dd44d13fb35cf3a6a1ff3288a5ab8d9a64af95f65091904125cbeaf6ea6d19f3d003ecf489e0c4af37e

C:\Users\Admin\Downloads\emu\878321

MD5 e2702cd687534dcf328d004f13bda94a
SHA1 f519ca25e18dca6c15d3d15849d8764cb6a13943
SHA256 bb4b323f6d51ff84b0d9a502cb25fea638c497c07caffcb1391c4060a27c6bc1
SHA512 d4726ae28db86d5adbd6c73783dd7919a3744e9e6280be4c0480ce74c5872c19dc6471c16ee05c0c441ac008e1a7fd32c01a633873bcd370c66d719924d70af0

C:\Program Files\Windows NT\Accessories\en-US\symbols\8a7acf8a27881ad9887fc425cd6c5f95.pdb

MD5 dfe8ddd56a1617a07d5c3a99131c4e75
SHA1 bb307024cf33d32ac4a679bd966cb2f12f2a89cd
SHA256 c135f7fff8d8210aa1f71f2fc560aa35e1a64372bf26610b693814c31fc53406
SHA512 84635e4929ef075ca09d3507faae159a3d64f115075d44c8a3ebedbe2506948bb59f6b95280db08fde5903cde31a43c94d94ca79e4cfe895e5ddcb164150abaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 fa6a3a89d780f2d3769d485503c01033
SHA1 ea211b52df010c370d3fde421a516b4c7f512ac4
SHA256 153b72413f78666d280dfb656f7bdd3d8b846cf2de9de3b1947598084f4dd3d1
SHA512 60862b3dc4788a652f113fc3b8790bb4f468058daee8eac09f5c02ae2bb6455d170af13217f5e4e3c95c071504286a4638a388240d61a38d6152529baff83730

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 be9e8d8924121c12f831ce40c1b386ac
SHA1 406c46f2b991b85091e349b2484ced5834f6cc9a
SHA256 d861c6ae663fd62a02264ace01246b293be07eaac463b139a2cbb77866138daa
SHA512 6eb20990d8cbc361f5f33114b82d18ebd52ad9abfdc1ef4d12cacac62e91f728f1d0bf1df476868abe0be2cdd454f7423ffbca4e39603dcc01e0400e562ecd67

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

147s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader3.exe"

Signatures

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\loader3.exe

"C:\Users\Admin\AppData\Local\Temp\loader3.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader3.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't connect to server && timeout /t 5"

C:\Windows\system32\cmd.exe

cmd /C "color b && title Error && echo Couldn't connect to server && timeout /t 5"

C:\Windows\system32\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:58227 tcp
N/A 127.0.0.1:58229 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emu\878321.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emu\878321.exe

"C:\Users\Admin\AppData\Local\Temp\emu\878321.exe"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20241010-en

Max time kernel

120s

Max time network

148s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000053732e2eae32c5279e7a8f16ea36a48bec2d9b2247fb1602a90289469ae852a6000000000e8000000002000020000000735d979ecef007017d84e196fa383e59dc2bec618e96cfc612c437916631de17900000001911edaed1f6ccc229f84b837b501e07fc84e359d1ee719dcb1940cab1e7295b19545c07873417535e9322fe2678917200823c7eb8fbb00ec43933c87c91d5a50916e4d787b7ce6cab049eb02810ad42110e010854a3d4ec79b2c41ed5001ebd032999f1627fd9975a6e8a90e0fa15e153e0749e3addabd92c44ed863714a7241461dc8698d6d1e163f178c25e229fab40000000620cb084d8949f4acf708fc2cb99f26ef140635fed279eee18c38982282efdde7909cf285248b4e12bf5f6b4efad8d90367fcac161ea4942f159f6aff472b9e0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{052F4721-9EE3-11EF-8E0F-52DE62627832} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000003bb43a5bc619edf95b2213954ee0160170011b7433b058d851bbc814cd379e44000000000e8000000002000020000000ff123201df9e1f54fd97ea6e522831ec8f63243d1d8c93d3d80f1dc133e129be200000004573c03b93ae998caeb08629cc1f054e3e39301ebba8c2b6bd8dd5dd7212499e400000001e560628c78c1d1dc078759083deec05657552230cde8f152cc67e5283b1e4c699612ea3d8ddbbfc825892eee952d2857d2bb1335e35a21bac16cd2515aa72d0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437350227" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c7afd9ef32db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB09C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB18A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7cd0fdb46463352a88956990c0f54af
SHA1 3b2251bbf9a67f92ade931aa858445a3f1bc34e6
SHA256 3d6af690ad78149c61c8f8f7fe687b3834d551118b44c4094c5644a374144a80
SHA512 10cc69788d27550dcfc1d95f61dee0f403b470bfda91928154124709375d37da79cdcbd47a776a1c464f1b7c7b87bc80adc4e30cc295005722c9216ded84f024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9459d4b64cd71cf382520831e46a63b
SHA1 d993fed2f2cf540cd0c2f76ead9b5e99a675ae7a
SHA256 4d39a55bced2fd31cd1e6dc457d592a625e0e70f4d630a983f58e62ebd0930c0
SHA512 1919083806037d423f4d54588cffb72d7226077d3dab8302d64fbb1d71a750562c1ec78bfe0c02f05622b8fbf6e3ec17f389a78254463b9e61aa56fad68d6e65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27663b2d4de7fc19db022d30fe9f61bd
SHA1 36e08cba8075d34be4b7eb6b8ebafcd472928e2b
SHA256 1a92ad192f6ac07f294f05035fe41a8f71ea1851f2daa85f4d1a19697b598078
SHA512 0d1860663fb4a72c8a9f4c7912a88c834284299d2c941e3baa7d4530567eb797154ec50835d7b8df16c1ab2cee8bc225b2adbec671b8133fe6f3d278457304ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20625e55f0687c1b29032333980aeee8
SHA1 97b294f3b73fedd5af3b4f2d1fddb3ef5e63b093
SHA256 a481bcaf14a7759d197072e1ac79e45895b326d914155c5560cf6a9d3d10dc78
SHA512 a85b1462a814e35e44ca622220fde483ecf4d345aaab9ab04e107a12f8c4b4b553cac19ea85ecdd8a2351e6bef7403891491fd43745645088bf81aba3e5d3f70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3483c832543bd4eebbbbddeb0b2ee49d
SHA1 95e944a20ae2d1ee76e30a8b14bd86acf5493507
SHA256 fd12881bf1a98167b038ddbe509aae369a51a276922515dd675a84b1a27de9d4
SHA512 676eea356079d286e193e78722f99ce6bdeddf5c1daf687af695c9619b13358588a978c5c0d8c2c1df1910059433add056ef670e3994846032aa29d817c9305c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3e3cf8b05bcb9f4535969a4447d4987
SHA1 c870badc696a49db43dd161dcbf676ac9907fdf6
SHA256 593ee36cf10b77389a384f7783639776af85587b51c5f44ddad11fbc1a432c3f
SHA512 e8b0eb29626942256f813b40cd4a202ef604e51a97a2993d5fbd804450fa7c8a81a46d59a7db71a1a04d35ef3a38a6117134c420564a10c03468ae6ea9fb6779

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd8f50db1606060a6424662ac1ab3e5b
SHA1 c595005ef19e61455b745141eb7f581ccc26729d
SHA256 47a41254fb150f200bf1593569b2c27150a3bcaf9e6cf7dd54341a19f69b2438
SHA512 5db9b33f267c2b0d8cacd8f632087d59db2a9e04014d736ef70577d75e2eccca753bfd04fb652833d4f437239402aed890129ed8b0cddca7d5779c754ae30aa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e632cd8b525e64ba7cfccdf9e3d8eb98
SHA1 2b07a4c9e4a358b71df5f1d38d40bd58aa589e10
SHA256 fc0f7847567c9fc057edab017d573042a68746f16f3ed0efb61a28aa8a6e7020
SHA512 2f7b25b91e7bd8a5600af08da12fde3c169fd29203460ad891f81b37c587a0076695ac741b4c0e1a934cd555ca1ce492900577f98b3a45dae5a616245006e23d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb3b2a3602bdc5e34d60ae6ae7d2ed66
SHA1 d6589fa89a4bd63f777f5d3a116961889ae1011f
SHA256 c4ce1415f770680ce56ee0aafcbe75235b3d0096f3a47270f9d833914d1fdf80
SHA512 febedf192a423eb21fdaed101a16c7a09bfb42b724128e7709f950ab22ba4a23b85224a6c47b75aab3ac89d83141ae4191d2fdd498314328e27471b47d6dfee1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f97f3b10d8df6f8922ad2c533195750a
SHA1 a7e7f44df4d0d5e0d627951e5002a4aef94fb32c
SHA256 7fdb2ffa9313fce20756ba3adb63fb200c46ca6379aa916a02546b0a0f73c64d
SHA512 3db9138609e91871078c59a1ba0a43ae2e92d8eadd93d95da969a0c3d97aada7fd8422891033d080c783ed2aca6efe5a982496c40a8c25598a0aa14ecd61c9af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a8b404d947b48dd8928f5f933574ecd
SHA1 a84d84e5b77e23ea4d87ee8b9f9c25e817059db9
SHA256 9a064dbf4cd73d7ff3d24eef05a41ecdd2f2b402cf92173fc6f8056455e60ce1
SHA512 471c53ae1d76a6eee23430a9796f437494a0679191fbe00369c0eda9232bacecae6c5988b7555460072ca0331a5e984879e45de14c4917dcb03ad7a7bf98112c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9a51467851b2e37655d9d99ea244547
SHA1 41f65618cc1febfd6738e2747712e9000929689c
SHA256 158c284bfca346a53f648073f66e0366fd183116fe169f8bdbffe1fda12ee7d3
SHA512 f683c4fe1136d756ac2ecb382bbdeb87ff43f7d46466f460bf7fbc2c6a95642fa3cfa778fe6a6f340a2d80cc99a5f878b195f00b327f6db362a74e6f4214ff45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28fefa38d30a294cf749d58200dc9246
SHA1 8041e2e73b5d3791d2faf2d2fba57d1dd8da537d
SHA256 1e8ec488991007023eab822b0d6d77cc65613c1dd26fde4c83070654d32bb528
SHA512 a30337df355980ac657dd9012be98223f39b6b76a5150d7f64e4dc8743e784840ad9a2ba4e7689aec668b821f07830121e6bcc315d16044be031a2236edc8cf1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13860806fa231933a7947b25926364ec
SHA1 c57d10d428aeab0f44354643cea8a2af6fe31d22
SHA256 80b9d91c4930c526183e2f0dc18f9f160ad268d99a210e6f0e6091d360008218
SHA512 1a9516c0dab027cd62566f243506d5c0e3cd72cb3d6a8e9de334fe337b023a3bc495970c9202201744ff2af8090100da0ba80ae189bad6979078615b7232292b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af4ed15b8d7f5302813f4f7227aed9c8
SHA1 4a0403f22b5c90952e344c0f9c207e84705acb4e
SHA256 f25a1bf72f364acca4abc03139706927cbccbe3e969e881e5db7720e595fd94e
SHA512 9b098fa5a0b9e21a184bff8b25828a3f79d5e331a2eef291332c6bed51087b6f76b239eccd6596e70380c832bfeb228d91eaf2c67e56ea25adecd1771c2efa99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18a89fdcfc7606d5830e0c35cc199d0d
SHA1 63b73a2963487af06623e37a6689f9b2fd399531
SHA256 72e5bec3a5ac3abfcfdf275c6de716271410690c128553f56d2122c4d620defa
SHA512 51a8094d419eb1b0e5652e8f6f6e3bec6f8acf7c657c7b0729c35441e4f93ba642c0a294b4f858b419bec9d41b926d0e4bea8ec3d1aded5fde5e6b88f61dd70a

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader3.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\loader3.exe

"C:\Users\Admin\AppData\Local\Temp\loader3.exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup.txt

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emu\878321.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emu\878321.exe

"C:\Users\Admin\AppData\Local\Temp\emu\878321.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20240729-en

Max time kernel

16s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:41

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe

"C:\Users\Admin\AppData\Local\Temp\emu\KeyAuthEmulator.exe"

Network

N/A

Files

N/A