Analysis Overview
SHA256
5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3
Threat Level: Known bad
The file Orcus RAT.rar was found to be: Known bad.
Malicious Activity Summary
Netwire family
Orcus main payload
Orcus family
Orcurs Rat Executable
NetWire RAT payload
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: JavaScript
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-16 22:33
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 2328 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2524 wrote to memory of 2328 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2524 wrote to memory of 2328 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2328 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2328 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2328 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2328 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 332519612fa82ee55239540f8de79c78 |
| SHA1 | dc10655b42a68bce1ce2606d155346f80f383937 |
| SHA256 | e4cba061d5b45247edc7d618033c0bd86730c797ceb7780cad74abc4c931f40e |
| SHA512 | 6d939f5b0640d179e8c3c80ebbbc2f39f5108fde7dfeaed0bfabdb5cbb68dbeaeadfe4d854ff7416d787e3f5221232df8dbab8f9118faedb3fe62ebde0b9f320 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win7-20241010-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 804 wrote to memory of 2492 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 804 wrote to memory of 2492 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 804 wrote to memory of 2492 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2492 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2492 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2492 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2492 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8d8ea0b4b28347fcd1cea5b48eaefb02 |
| SHA1 | 9390fb856941e36c6aa75fcf23850a50011d30d3 |
| SHA256 | c07445933b500c6b35553e5986166ac94877112448b1fdf5e3e8e0f33e4924e1 |
| SHA512 | ff7b40d52ff0e3deda9c79e587393a8d78689b2f46db651acd35c9d8d689b519bda8375eea311c398f980ba8f9339ed71d26ab3fb86f068f4ba58d73b66f7c85 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/184-1-0x00007FF825530000-0x00007FF825540000-memory.dmp
memory/184-0-0x00007FF86554D000-0x00007FF86554E000-memory.dmp
memory/184-3-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/184-2-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/184-4-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240729-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6B2CBE1-BBFD-11EF-9DFD-D67B43388B6B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000592d98dc56e0e749b91aca360afca4330000000002000000000010660000000100002000000093c66f61f13b5471c33e47492e5709b13f6e94fcff10d44d2a3494634c16a564000000000e800000000200002000000034462a71889aa432b64681205475bb4f301894e2cd57fd41302f7754a32cde59900000001b4dfff9b006d3fef533d9bb2980cac879781b8e278efa3f211e683a2d04243e0b6e361a873fef8e6af98fe17fefd9f0f77622ae1b60dec44cc7f2d7915662a5e34e9b3a6ff5722a8948f8ca2d43e401898ebfd66e265a3e5530eb7e25aa5046cb68ed0836cf13d29c2b5cdc3f158b4223948b8bb7cf105236730bdbb15016e2b9ff2a7890b73ffb61ec74911e5896c94000000034a143d2aaa06888f52b6ef233a57e0e2929209e5ab87dd4a5600aedd151334d50779aa70e86b35acdd44d61b59b0e690b89ab5837ecbe0ebfb9d7a99097e689 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000592d98dc56e0e749b91aca360afca4330000000002000000000010660000000100002000000068ff4967b30dfcc30fd4f71792bdca31184a63b5f15d666e61500c96ab090b8d000000000e8000000002000020000000983dce65968db4a8fce8a63e964c2b7fd2195f84cdc87e9ecb19cd40fe55008a20000000f900e969064dec06da7fbec397833bb427989586c48afb193bbda8d84edd52a240000000ee36b3d6847d6c3733978038c12516d3b27835b911b749d717f32c0606eab2a1240d995011198ded48d073b17911350f9f8804486ac73cdfb2eafaacbc9452cc | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550332" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a2a3bb0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2435.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar24B6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89b1b89acf220e67f6a8db673b77c968 |
| SHA1 | 9ff73de823d9d237c36c2361bb8e20a9c99165db |
| SHA256 | facd0562fdffb79eb0786ff49a699d0697e1c65c8b6c52f790729fdc48979d8f |
| SHA512 | aa96159cbca73bc0502ef5b9c8991d396c6d194d72f5e3078b4c452ab27d00a290c67427ddb757e13a0997e713152223ca01afaca3db1e099ddb890f2385624e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c78bef41fb47e640140e90b3fecfc1e5 |
| SHA1 | 1263a04e60703b06263bb618ef2c5e7a125bfca5 |
| SHA256 | 164df2149a61448cfb234dd9aa6fecc80b4a730cbf097e946c83b6707ce06f60 |
| SHA512 | 0f5853abd1240468300bcd852202fff151d011b7a7842bf8e4b8f8bbacd44978747aaa86dbe9af58352d6ff15746701866d8bea5a9fbbbcac33413a964dc2b12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26d2c7416f5a7df9f80e3720ea1cf741 |
| SHA1 | 5b654069e5ae5bd6111a5188a4933e28f43f58c7 |
| SHA256 | 1f7042b04f7076c1021d0f91b8e71dc827f21ebd44fadec7a2ad2a124230b137 |
| SHA512 | 5b583675284edabe23917110eb5dbfab58c0426fa26afffbd878c47ac3e7c443c2ca09855098380dceef2f0387ca2342afbd8b41a1c4929d9f15286f8d390e6f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2808dd989d52a85524a96784a3b2305a |
| SHA1 | e7891cc27b3125ed9fdab20f6275a2b37e208cad |
| SHA256 | 00ccdb5bbb44d9fbc0f21e0648ccd3d07a5bdbed997b1935ae8a629a9e66dfb8 |
| SHA512 | b61f639e58b0d0a9f8d8b275929ca0ce4ee63c9a74492ba9eefe4c4611fbb70576afa809d16cf0cfb4741758a7bda0db3be0640c14bab864304f34fc7e2283f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b7e243d09f0f4bb04f28cdc4a7300ee |
| SHA1 | 8f6afc63ed68322188c6d6d911dfbb55891a6e09 |
| SHA256 | 636eb4064b3d9313dbc9cf36a2f708fa7d6634beeecd0a385c9524a591c40ad2 |
| SHA512 | 9eb4108c58c5fdd74b883e3f0a58e988a6082741cfe42f740d8b88dced5093e2057fdb63722e7ac3ac280bb63bdc2d8af4e3e4aae32301760f206b46515ea57c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 780f5749ab4f80276e6319371c539f3e |
| SHA1 | 1e3ffc57cd96d072d00923d3e6fd92c603a99099 |
| SHA256 | 6a309c7f8a560c29c8720f431f30f2a8542b6b57e15add84b8082a5f1b5eb0ca |
| SHA512 | 21e185a6ce2c97916b9403b5b84a51ae67a2a8f4cdac0df68e5ce896c3a6d81cd4d08989eb9ce98308a49915e788885e9549eb67fb49fc3cdf556ec079a69caf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc147090818ae3fd69448a7ee06286bf |
| SHA1 | 3e013cb11cb3df689ab2b681310a9eb5d3ca1573 |
| SHA256 | 653c627d15b430ddf0a16545fb5e5f068f26b69fee6bd95b4c22fc6ae2253636 |
| SHA512 | d545fc42d36e98ae40bb94df233bc5e7f2d3e23de94d7dd9a6197961390acdab6aea5ab5c22832def04ea4b5c95f518aa6ebcc4632f590ea50ea801992b44aec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1c7fd0538a62b7a4d64f5a763440e0c |
| SHA1 | 7e8fa335d200d00ab3cbf123431286ba17aa8486 |
| SHA256 | 1eb0ce5a6cddad2b511719570913601627bd5124e425fdb32eb78890bda3f95d |
| SHA512 | f69ff5c855b697d482acd46d9fbbf0be35819ab0817f317933f263e6520600c8d7199d48c31b8ca80646b87b99409ef4b84a434064349e5938572fc18e409048 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81d35cef3795ec3be3cd21bd300aad84 |
| SHA1 | 53b0a683a6e4a3a5661d44ce7a66a98579edcefe |
| SHA256 | c96ed97bd54f0e42a5f00f87ccaf190ea4fe487b04d30628eebd2df30c117c33 |
| SHA512 | 2731489544c4fb6c6ea0954d167b035888642aced5595733d6f6a004fb7df434be60e0be6264fb5011cd7ffa1075504788097e8e5723bc92f46572b50413adbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 715ac3022107c3af6b951489cf9cb8b9 |
| SHA1 | 6b3e653c953830cfef0ddfea979fe264bd8258f2 |
| SHA256 | 5607f8137a76c587af0cd437450aa1f9295f380e2b06d6f612295726e0a1961d |
| SHA512 | ba7ba160d856c3afab001c23caba5e4a37fe5f38e6aa0c229e324a86ba0177e12a5fd2027f61113c6ee4c4cab14434df39dd68482be3cecb98bf0621a32c54f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42184d4362ac24637407be7a19a2b7b3 |
| SHA1 | ab68b9e0242f41e56b81a3ff469fce00db07d1f4 |
| SHA256 | 80ab469ef2ef829b26fb651670a2649e6508a3056a535f894613c0f783ce9af1 |
| SHA512 | 9b9d65a595d18ac088e5fbc2ad794910deafa476186847a0cef93671d3231e76993f37b2cd0c0f89c960063649f1a7b345473bb8db40871a86a19b3c41075823 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09a0e0119b42cf709e8783616f2b0bea |
| SHA1 | a07183ba82c6ee74f8259f0a0d3443fe25a7ffc7 |
| SHA256 | 5ca15639b68c9475b01c0b9503ee66f7101bd20c6422b5f4f032a84e3d0c8e8a |
| SHA512 | 3ff70c636bd0e2e182a2d28abc88eb6e64e6fe0253335c3a65f970a49f4f5062c0e5d9516216828c607a6b5ba3d8be3b97cf4e774533d20f181046ee6e913d43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8397adc753808f5e99999320c17a0b16 |
| SHA1 | e536cc9067b22939c268ba45d7647e2962770a91 |
| SHA256 | 038a4a4b35cfc9d2e366f8dac7a7a47042de5f2be22b9e7119fc1e0a80151c0d |
| SHA512 | fed1735afc1a8d3b388917e315b04cea264ec155724acad0c85d8e174fbfcad34b32c256fd749b51bd0c7a39a1ea423409b7822654a00b7f4331d813a93160f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be2adb65aff13c884a2b4282736cb522 |
| SHA1 | e56c7bcb7d83ac7c2a45dd02b196b0ee6e6205bd |
| SHA256 | 59d2a6e79de9df4262138d3d706ec8378b2c2a2fb165e57a35bced00570396bd |
| SHA512 | 8963a69db2c8195badddb7a2c6167894bff4b87804db1d71763b1a7cec27468840ecad5a2d0f424e229380327c7fe21f73ff195f2553ca0727bf11a6775f0526 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 792dbf31f857159a6b2fd104bb562765 |
| SHA1 | 93b301d4b018965414ddace0b8f5a079799d06b2 |
| SHA256 | 46cd9d7b2cb410881647489db04b5c7692554895d839180f2994133fa5ac0809 |
| SHA512 | b417df6d22efd2275de77f339e9af6eb55e36cd6e47efe185593e7a844f8745c0154991da5cd2f3af2a55bf6b25dc451c6821009c29ea18f9a6151e195e930c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2e2464bcab110a65d3784b3e406bc0a |
| SHA1 | 7c73f63a99d5859eddded36e33d523a76a2a463e |
| SHA256 | 95a74d402e35f4fd359fd5e2f0b1c0650133e8f404df93891f4136b8cd149608 |
| SHA512 | 12622e7abf20cf7179858f2155d14caa6f8ec2bca6132caa9bd19a364b15f4417e219c6185af559c5304e1d937ac1282ea7924a15bf746a5d9df4cd8cebb7af1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51ed30d35db2c8e6e5b8dddaf0d2f05d |
| SHA1 | 7f89fdfb902a013ea50f51057e40f4fe8a1c39c7 |
| SHA256 | 3a21e4f346674d94b794bef14271221150bc3776b9b879f7d80c1746cb92ee09 |
| SHA512 | 19508df0501413f7c96c3e33f9e1e8a4a3f1d41c0e092d38eed89e10a3948c276923dbb44bd2cbf94b1210011bd80614e2abb1d9455f33ed9cb202c1ec3f5fda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 487627bea83f75b5e63006577da1943b |
| SHA1 | 588849ae8787431ee261de83fcd037d13737aa95 |
| SHA256 | 4f27b85ac9211a74f4df9bb271729907d790413585c3be6613d9e179940b2694 |
| SHA512 | 9725f0c1aaefbd81ea140b3206f9c5de4d35e265a23105205a8ed76fe2355515fe23204b358305ca86fdb8349548d91f0c216ef473b0766498a7aa3cf283746e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cccc332bdc997dc8a151009e825f5631 |
| SHA1 | 41ae16bf3eb20201111b7154f546bb91d44e0751 |
| SHA256 | 2360477e371036ddcdb6791d922dc426d5665e282b1165cffc8d361ecf911ebd |
| SHA512 | 230c69be79ee05d896ac141fa836f169b577acdbaaf8b42a1e1f3612addfaa4afb808da24ed595dc9f9d24d3088c5369bba6c5d51bca6b020961313309a8856e |
Analysis: behavioral28
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Newtonsoft.Json.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4528-0-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp
memory/4528-1-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp
memory/4528-2-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
memory/4528-3-0x00007FFF18330000-0x00007FFF18525000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\NLog.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win7-20241010-en
Max time kernel
103s
Max time network
20s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1736 wrote to memory of 2004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1736 wrote to memory of 2004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2004 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2004 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2004 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2004 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 24a6e58a1417f4ae09bdc2b59387fb6a |
| SHA1 | ab704abd33fb770f2c60678073151582b9d36e86 |
| SHA256 | f8401b8425e0d066293f300c8d5c7ac8fab69efbc51bb9bc42ed119e358341cb |
| SHA512 | e55c010f84c90d34e9fb1b09b27fbc13bb1d27a7820ab86555220b6bb5b2575677cbad22bf71dbc749c3a5fb47a7f0186ce4664e0df8e543af48efa43297fa91 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.IconPacks.Material.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/1000-0-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp
memory/1000-1-0x00007FFA9FC8D000-0x00007FFA9FC8E000-memory.dmp
memory/1000-2-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp
memory/1000-3-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp
memory/1000-4-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\NLog.js
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
133s
Max time network
133s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550334" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8688A61-BBFD-11EF-B8EC-E699F793024F} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000088e8189262d3a8459af95dc794a543df0000000002000000000010660000000100002000000039de8440b122d047e8d5137a52b85c29b03710421dee0219dae3f85a8367e9bd000000000e800000000200002000000064209aad60c951567e4d93ddca407ecf24d27b8ea5af32dade967d0d0390702b20000000380cb72cc49a40e4f618d71305434032da1bf1c1783a823e739a215a93173d3240000000b064f4d869209bdb4b832046c1f528f918c651bdda41b4fed24acad0faf5d4a4ebf1fd9298429661819b7ce632772c4d16cb3bd77c4675288f00483d40fd1493 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000088e8189262d3a8459af95dc794a543df0000000002000000000010660000000100002000000019501ee6157956d05b87f565e1f422399ccca2196277ac32a7f07917fd0a6fa6000000000e8000000002000020000000eb3252e5826e900238231d1569bab847380e1649477368fa3c9bc23a98678b1d900000003797f7e88af6374f1dbf0ee8851e8cafafaa4284fe796b4857fc2a602720aa9e469f55caa1654e999c29d5821fd40e678fa697b921bf39dd1237ac0e9e21d1b0429de1bd9eda10fd8371dca7b8102db25461bcde1addffbc7c56c4241f3d5fd3e4660eeb410929b588182ed4de172a260c678c86ca1fa58363374832b9b9f75fe3521e541eff3e550047bacc803131d540000000fa5cc72bc43d9e1703304596c6e4a5c8e74fe7c0e5de0a7c30461199ae72d510324095b37774e522e8abd13be5cf90a4e56253c58a1f607a2ad5d1a3a2d406e6 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302538bd0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab27A0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2810.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 066f0a3b22c911ad276c26c22a284483 |
| SHA1 | fedc8c8e99e0311f58df038c73eba80c92e282e2 |
| SHA256 | db7cefdf07a18aabd5876b55ec9c5e289b45181d79e80badd12d68a8d30f8935 |
| SHA512 | 03040b436d0e06a9f7f4e5aa642ba40d7fecef50a735afb4cf950808ebcccdc621a84ded1bbcc6ad228d9dc0fbf25ad0f85d281de600ea5ed5bfb76f3a695b66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f17ef9f3453fb0e8769ef7746d4e7b5c |
| SHA1 | 2da7babea6a99ab365146b291a98ddff56a68c21 |
| SHA256 | 3f2336d9f38b9fa1b3e8924a7c3979c0ba5e8350b999ef168d84bf32137d1a0b |
| SHA512 | e8defe919fa190084a66957321a40caab63fcd01f8b90cdb7040a3ee269dfe4ac853ec7d97dd716be7fb4a1f2610af73223824482705c2860cbc6a87a1f45b65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a948a5756e3f1ea2c2780af8739946b |
| SHA1 | aecb213fa2abbc224e275fd96d72a7fcd65a0208 |
| SHA256 | 3acc020ab591f2dae99cb718b74bc647123a462be3d4488c9fa22403dc2bcd0a |
| SHA512 | 59de9a57f27e1b5bd46c49f8e9966501d9290ed2c6edd35afa1f05849650edac1f54bcdfb1bc835cfa3ad4fa338b31d4a40095b0f6e18fa84726af5409e4d641 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2449b1737f0e60b5bc84f0db95bc7f70 |
| SHA1 | c8ae363c2ecc76736fb717bd8e0d947b2378acb3 |
| SHA256 | 90657376302372a517041d2b1a853f03fec0fe542a5dd64fa20b70721bce8284 |
| SHA512 | 2adc15a173999c4a1df4cf2c29e5c7db833f4608377e40443f8ae567708ff00cbe175b5c55ed3c8fd8665105bb83833be29bbec54d110f79228e24b7c19beb79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 008b8be0b430b480f1f77298aee2913f |
| SHA1 | c69e88df7ca295f7879441a10e753af76b99f185 |
| SHA256 | 1083bce0c4c396f58a107d734dacd09cdfbb292f6d2be547d5c2e58fcb8ca8ef |
| SHA512 | a3d70c446bd93b1b289573a39c2ab1b254325def33577e918173e80a77c2fab4c76673bbc8434f0c9683ae9b566fca096f17673f6edbcc6a65c2db224fdcd8bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d21a50b582e390ff210b5a23057ef34 |
| SHA1 | f674c92ba9262982d22a989048452221a49cf542 |
| SHA256 | cd7acd0e54a98c9e18348ea5784f0429f0dc704ad428a85dab95a090becd12ad |
| SHA512 | 5f7f269746d7c46b29bc41f0b9552f78a4d4864a628db18bf864fb762f68657f4f09fa318400d4dcdb8ca27ed20a609ccf4803c8f0f53ab5780edd4f3ce3b466 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d91e608153b662fabef6d7155f467645 |
| SHA1 | acc1eaa109d80d1df8a73a83e076a49d189c31dc |
| SHA256 | 10f8f0b226db2da60b27b999d3d5a2ee5ed606c21b0865d111b6a05c99bd41eb |
| SHA512 | 0b348f429e724d383a8e52a6e8a55aaaed04ad130961c608ab22a3c260461a3ed7afcf9ad52cef24b4e7521848a695b1fb10ab218ee1046f6ad3d2f4f0506bff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e90163754453b0ba4f7cc5096582c44 |
| SHA1 | 4f239cfb93cd17cf290153b034deada9230ac568 |
| SHA256 | dcdfeec59ee7865c9360a32ba0ba1a657884479c0a11d51489f876a60c3aef0b |
| SHA512 | 2bea7e22e11e00b75aff1381b1f5f5a2a3a983368bca467e2f3dec0aeacb20a233ebeebde5bf52aa1a4f55ea89446f19d011addf93e234ea5b1d9f6cae8fa0e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 748091b43fab94a1838952794b8f09da |
| SHA1 | 31c2d17e0291ca2589bb0841a4a2b633d5bf0364 |
| SHA256 | d9f9a1ea654b76736ab27143cf639f715f393efadba3453263fc4d4fb3b153ce |
| SHA512 | 6f5228b0240902a06e42ea00a1869a94964116914b5609aebf162750e15b9beab32118dc68ace31d0cfaa06509612e038bcc53f910c20d348361744ecc52ddd7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 410037028c171b677fa544b35ec0bc41 |
| SHA1 | 6575b80ce81bf812d94c66e180e09ee9748c395a |
| SHA256 | 60cada19bee66e376e798b32fb46391878cc7f49783bc2900810e61dc66e4e17 |
| SHA512 | 850cee9b1717e52410133ce4667d8450ddb6f7b782702c8e700d0f700ce24d795cdcca0269750069574f4b5c8ce7fcebdc385a55a0b0b6aa7bea873cd4bcbfb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b12afdd8005eedc5253f622b5921404e |
| SHA1 | 308313aba9ef34a6957266b8933026ec6b9f7efa |
| SHA256 | 864b96cc80d51ad2775f65a3e84bc2535c097ccca5123feade6b3b9170657ed2 |
| SHA512 | 59320c99a147e97ccafcea98e964390faae6eed434fa81b79d7cc42ba84960b8a64593c74cf687f1b665fa48113356a36660ee5d0ae7186b2a4690fdad7b27d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d06af3f3c33ebcfdaa1e31f019f0826b |
| SHA1 | c8ef01fd25ad4d68d667d47bf897ed91927e69e7 |
| SHA256 | b2d19b1c70c13ee351a46f51b1fd948370454ebd912f3350aadd539255ab1992 |
| SHA512 | 64e06efda09e588214038ad9eb4ceb0caf50899969291241149ee5a9e10f39b3faf0757dd7fbdee793469a39796106fdbf41de0d2dad183dfe4cb612aa560e1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45a2b302877219e1c75e6f9a1140ef16 |
| SHA1 | 7af0a731c2c1d48e6c38ec0479fc1a09e2961743 |
| SHA256 | 2e00edc455b28dc903ce9fb7a79fef0e592217fcb4d26a11669958e641de1dc0 |
| SHA512 | 6ad68e17ea172be04288c42f489ac6d12b258774a160dcd28f1ff2f498924ec6ac9abd18cb322139e84429bbd5df4f89b3d370d775695ee858c25fcf0821494a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8d2ecb14d93c6d1888149128d0f31e2 |
| SHA1 | 77c2231e7dfe0b1f26dd04e7b310e2850073691d |
| SHA256 | 7c6282d50a00ea08b3fa30d09343b354059f02828d480696643dcf2668869f07 |
| SHA512 | afbf675e7ceb6ed4868efc059fec11d81adea7e3b926a313a5e04dd08e345c8567c56e1757f4649ec94e86839f63c8ce1855983eff3f77ce2f6f05bebde9c044 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd82cecacb8208fb8a8d25609d9fc1a8 |
| SHA1 | 1d74b9f851bea089f84693692c810a68b024bdc1 |
| SHA256 | d0b29d6011b5d87976bdfd69e313a71ec553828dbd545ff3a384089208e76b4a |
| SHA512 | a9d211f6c5024cb540070f3aa3f4c75058183a9b94ed83ab6ac4d6b287362124e6854ea94b21c63f8efc5936f380e3a5fa729782ea387d27bf5957a95a6d70b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6ce430eb52e7052e469a90b33131e5f |
| SHA1 | 9d975b890b32d2a3375e56e359466284f0641ec0 |
| SHA256 | add076d6fdf32bd33adcc96b143a30ab18ef43044eef3341460e1cd57e419f52 |
| SHA512 | 80769724bde23180607dd1b28def6310e1b79288f5a4cd3962ee1734ef194842689de218a2a6b8f4229b06d8e64b333a45bd851433e160a3599fc4f0e3f08c4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 191ea15ee310ccc22441ad3f0c4f8d7b |
| SHA1 | 4c0ee9e87cafb52b4176906d246136f25cd3edc4 |
| SHA256 | b1b47328dbfab077f68d019bf190bcdad1dd31478d9627f941a62c7f47665061 |
| SHA512 | 3f22a2477a4ded86c856276b7621043a68eed5c15663ea4a0bfa50eba009549a031d91f9f72edde75a9a0b79c66ea6002b3c23860e3ede0cc810ac4f646131bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 756a43bc1eb682a4e0a6e8f5ab334f56 |
| SHA1 | d40780f3b0e91ad0356f21abde2c554d15714281 |
| SHA256 | 6cea9bb2fe0b4b1656d8a08328ffeb3903688264c3bd8749c0d728717b7722b0 |
| SHA512 | fdb8876b1dd826b2ce9cf6cd07c677082c3b61ed67689ca6652fa5260989682974eead8613e2e61e85b824732ad14d723b71ab1faaf2d4b71fd57060905f1286 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be53a46f567446f7d328e4b723cf0850 |
| SHA1 | 7c0a514b68431a09b4b42d2f67acfa28d17a88b5 |
| SHA256 | ccdaf8ebb9a5d91b46b7c7b5bc8855041e8002efbf4a825bae352b21fadd82fe |
| SHA512 | f0df10632734cecd870281fd09c2bfb2be57ec1eb51001050a2b7f576a7b53e6d183336a2754681645e00700605306483c50f1eb000bba94109b3f7abccca8b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a880154ad66499f560cfae0f8ddecf3a |
| SHA1 | 2afd181c671e3426371b1ee9faaf3d5c8013a34b |
| SHA256 | 9c06cf90d544f7dc32fcb808c043199a8da3f700ff48adb53176d59f10aec083 |
| SHA512 | b351f001b14256ed9108e9c95ce9abd6fa5651e9c28fd182b46b4b1cec65b05af304761bb35b1acfd36fc2ba0954fb72a2adf644fa9df02d2f0fb692c918a997 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1548 wrote to memory of 3064 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1548 wrote to memory of 3064 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1548 wrote to memory of 3064 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3064 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3064 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3064 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3064 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 2ff32433893d204fd2c828e5e52e7733 |
| SHA1 | fa22471b6a6d6bb1c79688d6c994ff9fe5081850 |
| SHA256 | e71605ce55eb568bb4b55c4afdf7c80c18b26933401bf9baf2209a81f3a7fbd3 |
| SHA512 | cd2d94b76de34ff5e32cbac148296bc64c923aceb9ccc00c67f04b78e611cce043f8692453327fa83e9d48cf843e2f3e31ace8d65884d3743556e799120ad8b4 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win7-20241010-en
Max time kernel
123s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c22abe0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000209d9a864c1c3a54130f58702e00cb35307045371a76ad2a121439ef016cd82c000000000e8000000002000020000000b943b34afcc42b801a879e0fc1503ec6b4facd9280e9a40a12fa769b0fb3c08f90000000395cb951c12b2a6b2e9bb44e0209b8ca77d74589b372098b5a2c9609aba129b3ceafae0682c50cf0076f1d05277fcb011872648f945326e7a638adf9428845c24d9ee6b6b364727372ef5a219cf6b2ca5318f1267c1099d326ed0b97d1281382f005ff499b0215151ad53f2eeb10430ef3a85db644b3c9fccf8f03dbf5d53987548f6382f5ae5dda52e2bd92ab66802b400000004e1e2c9506804cf55649ef31bd5100187c498da0fcfa5c885b656cd918dd4d24d7e27788c9c5704a5f6bbb52ea34ecafe072e805151ca3495e890b38c00756f6 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8F00211-BBFD-11EF-80AB-7A300BFEC721} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000f1d06d1f204acc6956681b97601f757ed02f8e51b3ad93e8ee42544dffbf6742000000000e8000000002000020000000633f002cbe8bb77822d1cb37d27b664a0c15a908995be2b65ee238ce29184264200000006b7b8c4400ee708b22eea78bc25b595be3eefc97e18face47e45627e21aca1bd4000000095ac3abd1872c2d4036b166a8b47ff95534931f0b03c1d87df3d6cd7c44c69edf5310ae2ae57d59eed38904b956815289220e1e079714ad410c4fd8fd411d63a | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550336" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabF3C4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF482.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93757ce3a60372ffa87d0727b3a9643f |
| SHA1 | 3d5dba222b2741198dd5d84800be798f2e6b0b33 |
| SHA256 | cb579f64924865863d66a63a0669ef30635581ff32113c6b242d9a11f5299900 |
| SHA512 | a8223228f498a0de0c16c19c64fd6e9cdf8a032d392e0f0c368fac7c7baa9df07fc267b83fb955b7dbf22d9d81667939d6d5944bb1f7f0024c2ff3d31cd3c443 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 605ed66c666841be218af9b3f4bd55a1 |
| SHA1 | d3f92d0aab289323384b5149113fae560dfc3701 |
| SHA256 | 75faf211c2b143f58d188e1ad322bb86af63a4e656333e03d8e843daba1c6cef |
| SHA512 | ff269dda2de7454088afab8d2012a847a81f2e9669123177e71032332164710f39af1bef1f64eff1ee666649913247092ead04890a374d58bcc3c89fff6e0a01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48db5bf4e23804512e148173a4c3af1f |
| SHA1 | 0465383ad7b29db9b732d95415a24e13abe68762 |
| SHA256 | 32e15acac44beef66ec7514ccdb83f729b16606b366311d2ef8b1c788d320ea9 |
| SHA512 | 1e428a0e097e9f5c93d0e0bc4c93b0699e1e6c2c227e240d63e704d70dd98fe3434dbf65988ed8aa60e4b0a88f2602f0aecb64d1f47dc81f0ef82ed2d98cf468 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6167384ebbc334a97b7ec2176fa0ca2e |
| SHA1 | ab7ebe6c3d44c19126d644a296e809455473bf0a |
| SHA256 | 590962299d79d1ced8f1a99aa7ea556fc96235d6f9bf006bd084da9cb2235b5e |
| SHA512 | 1a8252eef24abe6ef9b217f0c00bc36b2f388c189aba2d7d61f43a6a2c320258b1455ae9db3ecafc060cc7087c487d1a34ad4fa9723ff83074828ac62e5c19b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c51b730b35420e22e126b460a1ac14d5 |
| SHA1 | 87940b2079f3a1fcd11668187d5a67650ee5ebb3 |
| SHA256 | f8a152bc7e62cf7580137993287cf29fb9a96387605aa4d9642c2e8d003b3533 |
| SHA512 | 22d88ae47bae531c6b3b259803d7c35318b3e6ba572d695aa7cedb13c736cde718ee173489e21da394083d7002d4558a52a20dc9a22f37180c89c93d2d24fc68 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e11c23280df0328d4515ec15bf5dc50 |
| SHA1 | 81aa7a59bd4bd94bece60f84d28b93c10384e63d |
| SHA256 | fd7da94ee6f905d21058267930c61323c03d42e6d88accd86c6444f2c0ee50bf |
| SHA512 | 5c59310ef507dcabba8bd5708c7e4e2cde0934a5e44c65490f9ef4c74bdb90627cd6039e4fde1cc22019df85e309d329c2d64242daf2988d3e6eceb5ed059b71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d15c9420c04a866b86b5c7f7ca856b7 |
| SHA1 | d7d2c90d720a12fbebd1026c0c627e3b1ef930fb |
| SHA256 | ea9d13a2c558d2b06ca0519f986108233aa94d43d348d524949cb47c61d447ad |
| SHA512 | 1b1f4325ac73eee04dfa5a93682ccaf30c93b74f4077caa955d31fdf07ee6f58ed19e6a721435a2ef5649b9c68d72c590353ee63e66a9c245457cb2f47608c2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6a92c20eee4a0fc041323193bfd9730 |
| SHA1 | 11dce65d43e62b90bba53101e64371ccbd81ef20 |
| SHA256 | bba85d2fb6e57ece2bf735358e826b10685a2fb8eff7f2d095046c380d2ef42d |
| SHA512 | ac65584f75c52f047f6c8e5f1e8cbf1a299ae47ba4deea10c670f1f4f4938a6d027ab4c9539f7134f4038e6c95dc8edef177678b7e6f02ecf7ec80d01292314f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2793cb21af2922e750da17d276126ac8 |
| SHA1 | cd6adb5d2c5b7fcb3956be8d118392480eaaf894 |
| SHA256 | 55774cdde1d10e734fcb30426b6a523d3d2f18c94d3719ec52f09efdaf38a68b |
| SHA512 | cf4d3baf73a7346c98ddfda3fed7cb2af8226ea46bca8bca672bb7938e0fc0f91e745febbf93c7c9571399093f47fe9becbd45bdbd2eb3473e6a6d66fb949f85 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b42bc25d9ef1413e446df19cf289deb |
| SHA1 | 49b17c3d67355159af66a35be9b6d99bdcaa3edd |
| SHA256 | 975f717c76e336a6cd292fef8a4a362c6016169fd631ca38d1ca7d1132ce840d |
| SHA512 | 7f20fa4eba26d4f43d30e3d4baaa6f7aa0d1468d96f1a8b6bf8901b05a7ad65435eebd83641bdf09eea58466afe0e7462c38af4e57fe8a7eaf1088ba409a30c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1621a648589f2c73373595af872af4d9 |
| SHA1 | 8ed406867b3ae010dc2f15f0d44c61ff7e2589d0 |
| SHA256 | f64bd5ebd774f0baabeb31f49b619aab7dd69533ec544aaaab21be92ec8b9aaa |
| SHA512 | f692c3494cd30afe029961d069e990bba694df62fcd85e27517ea06e469dcdffeaffd4389d928d03f7c935966105f880c4c186f205e2fa6f214b8d6bf1f46505 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f708e97fabbc885496dffcaf369c69c |
| SHA1 | 8838f86f9bf22eb3267f00dc95fbab457061a27d |
| SHA256 | 97e101427705cc40ae8988984a6ae01b2729ce817d0919cc88f70d711a279116 |
| SHA512 | 8b53e130cb640ada739d74b0c6a9acbb5d45e86bc99d68f87ed428ce8d9d8f5428ad00fefa30a20a361322185dc97dfbcb63e297122436475a7bc019fda106a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20c5a3f9b7621bd23ce9479d03081063 |
| SHA1 | d333839fcb149c910fb21994894dd3f327dfa787 |
| SHA256 | d3165ed664d2c092c4f560bd63c4b71b273d6c03d4260dfde7a4e9f500566e52 |
| SHA512 | 7c1cd3a8dd823983d39eac415efbd0af45f582bc063aea05a67f7edbb646b0814e2a4b41621964dee10fae336d1650564710bd3dd5745db98fe354f15d4fcbbd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65b66c7927769d7c2c4777b7342254e3 |
| SHA1 | c41ba0e2ae736f697b5d492672b27e3aab99bf64 |
| SHA256 | c059cf767ff5f9516f0be2cf0344e8ee23952a3f791712d1f67c7f1da9262952 |
| SHA512 | 76882599f554758a915b8d11e008774a79baacf6aed55c09d174d2ef638dd2eedd25e869e14ad94fc7d9ceb2c338b9ad44da995eaec79ebc95c40e3b2df21881 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38efe6ba93631aff1eeec6703c4b3123 |
| SHA1 | 824523a2d9cc1e940cc0a0c9cec47f2b91b5b2e7 |
| SHA256 | cab11103d63e0a208f90033fed96be5b98b9e4a3cf21de3653ec45cce16b224b |
| SHA512 | c40d0d1ef8981e52f5d709416e0599aa2008a334074476b969583e3000c8d65eb57e807210bf331086d509c6ce6677928e7d411acc549b69f18cfcf165fac5f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c223dc774ebc1619fa7992febe8f99c |
| SHA1 | c46d6aed4731afa68ea581a5d5b582f675f561f6 |
| SHA256 | ad7f7caeb00df8d5fc8e4c1dc5776513de0f7527bb8e4fc1c95fea7b6e7fe75d |
| SHA512 | 2bd98df3163f4c3aa36063f412a411c1f04cc96ce56a11ba5ae5bf924e5feb43b4f8c01ea7485802fe798c9e09b6713c02d63f96478a89126807f7adbc1ebbbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 676149c83b2afec6886ef8dfc32a2b0d |
| SHA1 | 7f749e9f5b5a639c56fe7e5b6b68c534f0e71bd9 |
| SHA256 | d936790d1c38d0da704c87ac1954a8e4e6f386982b5b13ef6e50037c9c30b8b5 |
| SHA512 | 185236576f06cf69d1a2b102c2dd21ba34c4b9448695e87d8509895c43f234e69ee7f8da1eb1dbcea3e0776efe5369eb5465747a7853551e1191dce7c0e375e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf56379b123dec9913717525442759b1 |
| SHA1 | 4130fc215ed1a5bdb035eff5641ae313abfb8d56 |
| SHA256 | 76fa7b1776513aea08c8021658583df87fdfec718d0e594ccbb1bb1006d6a5de |
| SHA512 | 530f4fb43a387bdf71b4e891337d4d8ded224c47c55f937dd1e8a6fb9f0e4bd391ed5c1ff75d8de7a33c993b457e59a549feb42591bc3962ad787931735d6ca9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 602f98d64569c76d0078f7a9c35f8373 |
| SHA1 | 2ff06f40bbd4a74fdfa134da04af5ae3f113f3d8 |
| SHA256 | b554cd924458d507af9fb1e23b2980cfa77028a6aaf387fe1851d66c635b47c6 |
| SHA512 | d3d20b7d92b0c653443c0977c858e611a66399abc96fd11504f52c6c9e86b74d23221e1ad32f403d13880d7b8aaee74ff414c07c1f6096193b43beeef9fbbe3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14b04165c02448d0e555048eac5ceac4 |
| SHA1 | cbdef1c0d66f45563576bf8572a22d0b862afb6d |
| SHA256 | d269f4efee9b2e3eb66b6bb62c25dd1ab6cbdf0298ce3f6fa5821f3823971756 |
| SHA512 | 4b210e524ac833a340189651a89061f556a65adb76cba4521428490a06dd5a46c1ccd95dcb82ea6cf222579bad2d35d957ff606bd47764055fcfa23fcd3a83e1 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
149s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\ICSharpCode.AvalonEdit.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4572-0-0x00007FFE4BCB0000-0x00007FFE4BCC0000-memory.dmp
memory/4572-1-0x00007FFE8BCCD000-0x00007FFE8BCCE000-memory.dmp
memory/4572-2-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4572-3-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4572-4-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
136s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7C8A8B1-BBFD-11EF-BE65-4E0B11BE40FD} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608d55bc0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fede7374cdfcd4db0ba3fdd2eadbc3400000000020000000000106600000001000020000000019ba2b86518092826b3aeacc0fce1f6c3a63b5c4ad59dcd1661064833d2cf30000000000e8000000002000020000000b1000bce62cc9f395832160995f87b60c90a89d59b6f66e1f0fc102a42595e0320000000b8ea8052511403975c2e2510ae6618e4dac819ae8d526fe8ca48fa3215d160b240000000de62847ccdebcd4c04229a683edaaf58e4717b2ac65dc73ed31129c84e20672004844f8e4304c1bcb3972d8a942e0cb5d1ff313e8c4d5f47748319d815241744 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fede7374cdfcd4db0ba3fdd2eadbc340000000002000000000010660000000100002000000086356ea3098d1d2dec8eed78ec2a323a5a837c07a145951141f15985048e62d1000000000e80000000020000200000001a74d489aa4f175c046e0e662190d9ae55f11ef300a1e67bd74686862acb54f590000000af735ebc16a8eba62dd301160f1f7daf22aa6a07682156e1fc0f38bfcf748166478c9b95de2cb08d2065e0b4c15e59a65d1ed3d99dbe2d0947d7b0bc540a14ff41940b211652b2fc24005fede9e8a982aa5b918ac96fd88ce1bf3f4b5ae3e787f5bb473000ae9a33b85eaa7d3a4b947e21254d7e5302552b9ef43151ef5fe47cc2a5455eef44a4040eff887afc1f861440000000bbc06d71cc66a55c9c353281a0debe2fefa77742a4e0ea54f13e7539b334736e5405bafcd72e6bbcad5bf6d0b228ab884da5efb5689dcd05ddf7c3cde116932f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550337" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.IconPacks.Material.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab8421.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8491.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | efc6026c7058fe185555f7f8d5d6e71f |
| SHA1 | 4329333ea08fdc99e4100b34253d1033da50590d |
| SHA256 | 0238bb95be6122afbfe757cff73c1a808b6410a9ad6a907555ce64d342254565 |
| SHA512 | 7053403a0bff349b1cca2540a23fae5497679946aaa56157fde5d6d227acba6b6646350b4157ac247b86b833c21072a904fcd52850957af65282d4761221ff63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7714e5f3870373a52b22c7f70abc0f74 |
| SHA1 | 914ee0aea38095a83450918f0eb87d869860fede |
| SHA256 | bf44e5caec510f9cfabbc860b10f330e55c15601e367b70de0b2a8c4e2dab12d |
| SHA512 | 19002cf5aaa5280e84df26317a010f8ed2a13a13062496058b232068b84b9c5805d40fa57b7603e497d692affac93d926c070ff69a3f4dd624f37ebac937f268 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f53e86a03786299538970dcda25d73c |
| SHA1 | e4ac2472f4cb8e42fb8d9aca2b29b8988646787a |
| SHA256 | 779c22e41ec03b127c4b66970503302857c545d56936512233a3ce4b2dc7c78d |
| SHA512 | 1e3287d74ef34a848b492498787d749f6339c0a7b640b1b7bdcbb641b253320725b0ebfe3cfb6f1febadf76d1d67dfaf313a72fcf52fab0a7db17e905126f95e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 140fe38affa2600955e8ca42a0a36221 |
| SHA1 | 3d1aa1b8b1dd99a22c752c5acac04aa2c7d563d2 |
| SHA256 | 0224f381676cb96b8c671a782bcd97f4657e421879996f7547a7277bcb670cb2 |
| SHA512 | 15636ed4dacfff7c66fef20d36daef9f21c5c5acc4c80d701aecca2b6edbb5d3e1af937ed824c8ce1e40b0bf61cd69871b12e2ae28b7fcefde66007c8de80617 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e2fd28f5e06f4e8cfabbd18ec4fc62b |
| SHA1 | b5d341a46503f2cda3b2d90d27136a0451c235e2 |
| SHA256 | aacd5b130296db2f5ea513f3a7b5895bc41008e7e38300ae1a7b919f98e00b71 |
| SHA512 | 391115eaa9a82dafee798547bd12d1155a6d6cbe7f9d590b0831d1ef16b2e9b122870c911ca89b713247062a42d40c25b076c498086bd708a65e8a11bef446fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d221d19ed15f550e0d9b0042416fe86a |
| SHA1 | 750319a1d38f421068b3a481957cde9e53ad5b0a |
| SHA256 | 3cbfae86ce00398e13d9f67079263a9aad64cf0c9b19045b3758cb16055b2e41 |
| SHA512 | 5564f3107e7b3bd7c962f746b3b4935efbfaaeef359b10e959f65338ac63b8c4fdda7f790e221af8bcbf4f038ed4c47b74632b7d2e0a0903149e06125e32a5f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22f5d2a5a01688a82923229278ffc7a3 |
| SHA1 | e50e6866dff56e5d3f847fc2ac4d556f2386c105 |
| SHA256 | 4badac3494ea5019583c579af8b07b86fef7919f2596975dec9f394de1c7b6fe |
| SHA512 | a0c04b25adc4a72519a1847e2ceed9b8153c403b985e491687ca33f315022ae59966d88db4cb3463667912be51ed84e02e97d2e479b40ef549b20dc5699310ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f742a63369fe8008b78ab1522996751 |
| SHA1 | 171ce83013e88a3a6152911e7e3f1b8378b1efb8 |
| SHA256 | bf3929d2197da15da99c7faf1d66760247eda6191492858f92c3fa7e4267e09f |
| SHA512 | 7de65f77b0eb6eeec62e79e0bc865ad441a0432cdd48b9969c4eb2962c62eeebf92ba174aecce03ff19faeef249671cfe3ca7ca35f45844789103669841a9999 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fed95da07b098fb5ce1c77aff1bfdb2 |
| SHA1 | b5e3d4d8a04f1329c00a26e9b2623c92b4884e0a |
| SHA256 | d659366eaf2bca07d14bcf47ba8cdf9cced8d94dbd00620f08c400bc5deba331 |
| SHA512 | 42f12c862de488c7b0f8b9bf33afe9844313ff942f85af4bfffc3bb17a77b247d0eea13ce13316430f4c264aec6cbbf31741e28fe4f115de6eab108cbe1e429a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b1d3aba8efd506f158566508f00d448 |
| SHA1 | 4a7f7dcede48da66790243d49d9bdeb18edac404 |
| SHA256 | 182e0ab96c39bbe44adabb3be2121bf9583e2a75cd16b9c5ae1baf0a694b2545 |
| SHA512 | 3e2a74fee6f9b2e0a407b514d3c650d99a5d9c4133d93c6b543a18a68c9ccaddd795e34b5ce92601e7cbc2d635ad730ed61dd51702770a55183defc8db05ae62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98df85be6f2229d0d49b8611a64643b3 |
| SHA1 | 04e32dea93ae0f436e45e7e8fdd825c56f3858f0 |
| SHA256 | 82b59c1e1919b1ed22e654af5058417f7fb0af298a76a63c83e43584e9c20f89 |
| SHA512 | da9adddcbe239365e778c7dd20b90979f2fc44ed6bbf3cc9ab5aa1aa120903367a7ec4ce0007235169aaeac5420a1a7d75a15266e332ec3b0bf3a534653c5ba6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f9781470920e7aab104d694c929cd4b |
| SHA1 | 1db12e4d1a55b03af36c68a2178e3e8797341b94 |
| SHA256 | 272e11aace28a2f651bd1c778a98efeec6eeffcbcf2fdb75847020bf5b3454ff |
| SHA512 | d01ca092ec31744d4e6d6a556d4f832a15534ba724ce96778b54653013e78f75bb93663a4afdc987e27975e416cc5ffdd249bcb41d775586b1a88f02544e14c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3159138934340e4da9faf9498e4ad9c2 |
| SHA1 | 890841d6cbc890358eafe970aba29a565a0d9449 |
| SHA256 | c2c0fe048a5f107869e5ae33d8dbba396b3bb6dfdf77c99710d9bd060caf34a9 |
| SHA512 | 1e9e6da4557b6c67288035c30a5f1378c68f2c93daf8f3c2b7086320046fab763c7fae76c30c479e37858c8a3aa89789590d09a4dd67d07dacb29664e57f6bbe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c71c5a279bb59c12745b1a16c2300b8 |
| SHA1 | ee08478d404fd242b33e4a0613859cfd6dd7bfc2 |
| SHA256 | 54f2d36ea5eed612993ddf6f4a6332c8f5f9ea52b9e063bae69b7281dbb56182 |
| SHA512 | 3dba68b2020fd7b009ce5204066a00a0292d4d197bdae4d78c487261e55747f0463b99a4106f5c46b1219dbbc0c3ce691d01866bbece9483b53057b246af14d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b932e18f7bb2f3f09e45c6012e6c781d |
| SHA1 | b93881ce1d37e6aec188a640935700df53601b1c |
| SHA256 | 7394070fcf633a7c350adc30a736b809c48544c9dad21f9fce6a5ed33d9b2ef8 |
| SHA512 | 75755a6a6e4d521f1e92b8647a17814df49a4e7177e80124bc785c90d3778d5eefe05803f05c1de1fb0f75cf3535f98f8911f4a68342739e07f7ac6b80cf6176 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cb4d43edcc47b2d0834423d0f0ee1e3 |
| SHA1 | 1a574c6456764f424122305765273b018a664cd6 |
| SHA256 | 172ded38397cb9d0e3d5c52f1fd6a9d5c89d3caa8fb5c21041e6adb9eedbcd31 |
| SHA512 | 6ad1b4699b1893579ee0f81ac2a7a9da75649a373271cbef07ce76ce9276f3d32ed4d79afa0e220b956dfc46861b651f7055397b26a6d8381fe4f62dd9154da4 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
146s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
120s
Max time network
132s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102699bc0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7BFFDF1-BBFD-11EF-81B8-46BBF83CD43C} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fd49a9bbc5d79499e1c135ed0483024000000000200000000001066000000010000200000007ea8dd386aebcf7954b1584fd3a9a108744e0e7cc16a944210fe3de09353830c000000000e800000000200002000000053d988b44baa19a18ffa722d5ddad0709a9bb0edcd97dcdbc8a3527bba2c4ca3200000007d575f1e4712f6a97813ee4bae2364e08da7bb2f6c7061cc30fc6ffa3883c4cf40000000fd1325d20e04108b549eeb33aa6a74b8b0dd041a652904be2ef6f2490092439578bb4afe168786cde6e82b7299b3228a0a19ac8693a2ede786e67aeab8f0f806 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fd49a9bbc5d79499e1c135ed0483024000000000200000000001066000000010000200000000339c2ed61f31f5a1bca78ee0045e238a7d67640dc52ee6a792172407b76a313000000000e80000000020000200000001195b03d18329e6fd0f40397e9114f076d79d51e92247c38f5e56b1e2054d0239000000063c91c0972cb9cbce7f54a222e2f7ed3eee47c3e8132e01bd7a495e2ec458f27fd4d5a165fc7619c122c85ca95f0ba44bea1799a7fd2394a65d56cc782dd5abeee5ab91579ca6dc58aefdda5bc0f49166af1639d444b86adad856fceb3bf7e96c92fce04d8fbbca06ecab9f3bfdb6b5300498e0b2168c167123d74b67199415adfe811a6e246340c71ba6514675164974000000005131b8c7d100ddf138496680a0bac6eac386093ebfd5a2fad55bf9d7afbac310814507fceb9aaf29292e7914fd7cca22c1c18c7479bdc236f4b9adac8a77c90 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550334" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Newtonsoft.Json.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabC9B6.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCA28.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eba457ac5cdf36a9ab7791991b86b063 |
| SHA1 | aa4ba305e5d401251e840481c96915f80ec6d7e2 |
| SHA256 | 23897661ddc0d9f15a31a64058f3f205fc1619bbe36c5afaa1b1ea01b8ab9fbf |
| SHA512 | bc9730f50b77dea631b253ff82fd5c410711333f9995045432e92c72e137c5308579335f5a93f591142855f84ff9232faf8ffde8b8096d9e50b3286b1267dfc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c81881e1e2c81591372d9aa0ee180458 |
| SHA1 | df10f78083104e4ae87a9c456de6af3ff258cd7c |
| SHA256 | 29e33f0dbce99266920a94db4033a441b85a7308f1bfee5fd998658cbba227d0 |
| SHA512 | b4aa26694876144e37241aaa96d61a775a50d5cc2f805a338fcd5c8ee7ab6a62c00d6b4aab3a26a217d833108c170f8f456d8b15d504637ec9140c0b4e30698a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10bb15cfbf2c18e9d3278fa6bb12a9a5 |
| SHA1 | 45edcf32997de58a11fb117d221eea8fa54f6404 |
| SHA256 | 08df1bcbc26588c777bdd26692346f1c47fba2cefe0b513c8c5c77368ea72e8e |
| SHA512 | 32d34ab3a01285b0d4e39021de92fa77d70ca3a955a655886fcf6d8816b13132e6cd43f1436de42292af6d5d260044f3f8bb317d5a7c667ef788bcf60f111981 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99643b633df9ea962b0f1302c9f4adcd |
| SHA1 | 9b199014058cf0eecf3697f67c293f5619657161 |
| SHA256 | 1a3751652614baaa135a3d33a7536941be1f3463dd2e65a36de90cabb212f67b |
| SHA512 | b0624b527b3359d5620d331a01a2072bb619f2efc743ce879072a991a1c8a60640a4ef6dffb4b97a3c6bc72b1a05edc610c7d39b078d54f7f71d24a5fd0a068f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88713cbfb25fb7159d822542c999ff83 |
| SHA1 | 79e3e35ff40f10544d0d500b297c77e15dbfe5ff |
| SHA256 | 1ec11c47c9eafaf625ecb60c45963dead2800e6415a8a35157098cd684e086fb |
| SHA512 | e1b8e960f083c088ef9c6e9e6cfe1f999870a346f3ba57b30d49bafec907b2d262d885c82947d355d65996587f869b9a23b8e4dfa14217f95ed83c0e6696d2f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dff0370a3682bcb13c86fa96404ee16b |
| SHA1 | a585d7842dbf971131e88df014b473296b96026f |
| SHA256 | 812e04d356294096165fbc1c2ef4db85adc08e8dcc7e4c65133ae6ebf7396471 |
| SHA512 | 8837b5c40e9068d0ef1f625a8264917fceb5889af12170ef0e9955c8d1b9c9aeee2404757af60a7252881d1be58e6e9755123ac329c4e0653b9ef6e11a71b6ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffb7e28e72dac0b0901d44fee98a90a6 |
| SHA1 | 501efac033f8bbc9a009994b098cef40eecf9f79 |
| SHA256 | 53d18d881ae240492e70bffb3b683af1555200b4e8a991ff1150cdd460b863a7 |
| SHA512 | 0ff4cc1b9d4fe4a91d876b1c99b5edf68127ab9d2309c69013844483560f5fd3e2ed414b06faaf1db0b8c2dfa4623357017a5e66487e5c40e84af97d6df00c3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c47264b9f321eec93defc4603cbd3b3 |
| SHA1 | b72dc417a98115dcf3ea51a24580c6959fe349cd |
| SHA256 | b228fd1c63c852823b10796675d274a133cb48908bc57d21762dc28552fcc069 |
| SHA512 | b28278d448f8264169d29baa75aeeea5ae491e6f984635423591d83a03f8765b8180b355d3fd0accb231b01c474af8bcd5b4c26d263ad5fdee243bd9f329c7aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f9fce64390518bba9398f414a014f6a |
| SHA1 | 8f32a6067c656e9d0fe4fd3e877b4a809bc92b27 |
| SHA256 | 384aca92ef97b735b65b4bd30f0545e905c98479f0869676b00fe6784a6ab2ff |
| SHA512 | dc7ca72d71554f785d7d8b2220678df5add5008ac102d859ab929a9bbc72a32ec27492191af66b98997a2aaa4383e8bf635d739d66c75c6e987c973cc0c31e19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4f95d5b3b39f79311bca2a6523330f3 |
| SHA1 | a5cbf15228229768a9f425d35095a52bc0b404c9 |
| SHA256 | 7356668cfb543934e1c270cc1762ac7f4ad3ecd5754851b85ba491d3ba5e365b |
| SHA512 | adbb21dd908787f27c0ff87eec7fba6b23b7539fd57db1d886fd8babe98755edab098b08e11d5633a8be06944eab498e8e2c84e3dc901cae53c77c0700619050 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d69ffa29d4d749a60631bf6b3101f19 |
| SHA1 | c9dd706cc516c9c4447962db7f3327a8b93dfa75 |
| SHA256 | 8f7ffdfca6451b653ec18e21ceb91e83ab3b21477c1458e4e32aeeb1d398ba16 |
| SHA512 | 255ec25f4a6547d860c4c68078e8acad13d56bbc3f8b257bf4b1c872097ae86459ba3d1ae5ca2551242a474866209d01163bd4ca07a993d909a74242b73f8822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | acaf5a4dc2b397bc31b5bb4d8b0d5fd2 |
| SHA1 | fa3608c7aa8514acc94e9e8bdeb226c3c0cab0ed |
| SHA256 | 354f2889fcd689db8a3c570b48737e8d18a238a8caf5a36217b0c366f3d4901e |
| SHA512 | a8229736431fe27ba8b1580f45658ba542c06eb309ed2b5459f3ddf2c8f6db962f92dce15576a59b44401ebac8d930b03dfb6435459c5e284378c73bd8ca8efe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 160698c4633ceb46f04dd861b30e6622 |
| SHA1 | 8e1680f0e97d1f671e517fa2a8aa7f9ffcb032f6 |
| SHA256 | 74a5a543760b6c867943e23a943dc21c61f228e8c9a4b57b199fb4f94aa733b5 |
| SHA512 | dd7fe0822da3e41b28bdf052dcac38cfacab7c71142c85b0204b41eadf0c3a76986b3d026d5fc45b86644198e649324a8ba1761233fbea9cc773e7ea3054d43b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 121072f71aeb95013164fbc0492b8611 |
| SHA1 | 4b71cfb1a87eac45e2fd492f24f834ab4141231d |
| SHA256 | 2ba80aca62e42238ff82191221fe6131ed94e066f9afd16c3dbb5cd19b2bcbc0 |
| SHA512 | 0dc57f81b2240d63adcd9221f8f31b84141d152a0374410bf106bb42c7657dbd0b7e937b5e02759b3e1839ee02a80a1ae62efcd406794bfec92ffefa8c457af7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96b8a20da04ba3bc8cd4fce3a9b90715 |
| SHA1 | ed3ef5b2839de612d0786711d24d57760ee4283d |
| SHA256 | 1ebe73e802f3e8cde942b70c6790f9a13d7432a7da281e04e3b08cd804f5336f |
| SHA512 | 68a787d2a1b316bf15796413ae439d69d262aa75e6c31e63a424d868bf2569f76e186216d8adb5d4b1807105714b89c35d21c954b24adbf3d32c47c4a9199aa9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7fb85c3d8c9a0fa96216b622a0aa0788 |
| SHA1 | f2a4d39f2d9078acebbbd1d6f9942bfa847593a9 |
| SHA256 | 72ceee26aa61b88393dc4b525c0beb1a605936a18aa2d4d3ae04bfb5dc8abc6d |
| SHA512 | 3ca29fc232c9e163c1467fcfefb76abc8ba4be429e89a51e50015c51f71ac7fd007a6a7ddadd579c60f198634bf7ec06831ded0ee1464ddae98d59562068ce3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 155c56b538828c4a223b7ce5091939f0 |
| SHA1 | c8b51c6f1aa3b1f5f53d41e9b7f4717b442e21a2 |
| SHA256 | bac3c943a23c2baa61171b9b7ae242723eb1030ee975fafd8e563da6828f1337 |
| SHA512 | 3b651961661cf4750d8cef7eb68f19e2183cdf59a0682f99a47e9ce9cf776d40a9bbf6a7105ee3c2649d4fd0898de69e1c07e16d688269bf054e932b6200bd15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cba77e24eec3ba99fb06303e1c7732df |
| SHA1 | fe69c0595479db185aa89201b6fcfd8c2acc9685 |
| SHA256 | 2baacf758093b00242619b22d2c199f2c17e20228ea7b561e063cf1e53402d74 |
| SHA512 | a4382f431ff29806f81f5a62996d305e9da93febd9f55ede91ea161a2f88ea34f0a3a7d9aaf2b434feae33253bcbbacecdf7bc74521c7bfdfb4cbba317ce7704 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f25ca4c9549fb8ac688386e30b64de08 |
| SHA1 | e98c77a49534d55f9b695867f0616ae805c181c4 |
| SHA256 | 54c551e18b960367545a797c1d4d6c17c175a36c8f1c9285a49a37e87b78327a |
| SHA512 | 8e677f53af0f03980306b4b2c96cc46cdb00415ef48297bda52adb4b6318589118a37acf11f7e92164fbe4ecb841b4b05031d216ea38c4714b5498f885499561 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Threading.Tasks.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4804-1-0x00007FFD73E6D000-0x00007FFD73E6E000-memory.dmp
memory/4804-0-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp
memory/4804-2-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp
memory/4804-3-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
98s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550332" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b94a6f409177e0479b5a661aa7b0fca300000000020000000000106600000001000020000000a3c9b4c9e47550146a271a3228f0795ccb1c37ee86dadbac62ce1484618c42b5000000000e80000000020000200000000306c02f5c8281b4bf5b9a3ddc0acf576d321a397d5e1343f580c32b4c37f92f900000005580645df7878d4a535939c326e507207d936b2452a854d2010563cb1053e2bb73cc77ff6be5f03bb4edd58973370cc307a64738eef202ead860e4f262e69a359d0838f770ed5f4b5f48b6a2b269c46f396278796deb2c290662849561002ccaf953c60b973a19fca2d4a1c93b5802f7aa80a7d612aa09e42863ccbaa8592e641dda304951fb953b6b5e1fd2b7d04764400000008aad6003d32701d11a269a1c59e195c7ad3080c6d5ef828e7e3836f4be17163f1a68442cc067064b19569e662eb723eaad0705830d0762cafe8370bb81cb6345 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ed3ebb0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E69F0561-BBFD-11EF-9527-EAF82BEC9AF0} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b94a6f409177e0479b5a661aa7b0fca300000000020000000000106600000001000020000000cff202ced7f43c2f8aa1a608b4dc7894aca2c1f01d465200ca09a0161dd6aef0000000000e800000000200002000000073a39f0b43c0276fb9fd00bba6aaa992aeff3e228c2cf03596c2c256d477faa2200000002da2d152314c11d157ba53f9b0c5f188f40652df3c8914a2a208aa24f781a9404000000065090474022b572ec3b2785a003508b7d9c33a46e74be154ac2cb5394c886772c934f8caea4ab1c45a7ac50446aa442124b5125a301b024c30ac0dcfc84601b1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab18B2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1960.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e0d459549ebfb06f96b5035bc5b2b97 |
| SHA1 | 4c14ed715fccfa9e122bec07b71ee7ca8c7f4296 |
| SHA256 | 4be76bdb157eb00c2c6e2057af14856b61a5ac4bc96e4ec354a30c1c9aafeec2 |
| SHA512 | 0a6f884bd36a3a29742239072bfa861327473ee567f615b03ea8246043cf9e6b25eff8be32b8d04a8adf2af31ea9ac2601b6effd553f56c1f000a108acbcc3d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86111f23ecfc0d6e037d2f485e976ceb |
| SHA1 | 43b261a4eb796fbcde1181b74cf12608d212a48e |
| SHA256 | 2b8022cbb45e9591b55862850a897e0d5a186dc42f3f486fa0aebc3260e27be6 |
| SHA512 | 565a15f3328536a886a56ec39eb700e48baf41d123778bcfce15267818c109dc0833f88b9810ce106ccf72f187d774fb010eab0f01178eb91650cb9facd7a947 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61696e909ec0fc6086572d4373348e0f |
| SHA1 | db9a0bf9eab5e75cb9d294012b1f61b1eab020a6 |
| SHA256 | 0b1344ad65dfc71c1bed54b5eb74c091661aa485032479f2f61a3d2c3fdd75e0 |
| SHA512 | 612efc32c75fbd24ab45249de6a5abd15c9dffea55d5fdcb86e5d5b1477c6d787037170d93e10f40bc27c32e111695a3247ba2328d5beffa2f23be7893bdabf8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbb7d2483c23984de7edc6395b7f2431 |
| SHA1 | 27e8836ada29afc280b8aaba4cfb59f0b213bec0 |
| SHA256 | be897ca6749d0b75b381b07995b6a9b7cf7c44977a6c342b832e4bd9025d4676 |
| SHA512 | 42f3e228120bfa84adbf44b342b65f24166cd6f09acdcd36598737a1026de4de8e155737f14761260a332e6284478ef6711739c530b59b0a79ebd193f5ced676 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 46dcc9a18dcb63c9a0b32b914651ed68 |
| SHA1 | 7d9188ac24543d3465fcdedf4ae6dc45b0bd0bc1 |
| SHA256 | bc7564eee4d6f5d23630788c0b4d26ca46f8abae408a7af67d7bfe061a3a0fec |
| SHA512 | 443067c8d0b8992d293d7579773e33424ab4d2ade5df617680f651381911c9383267e275a83bf324b94a8a88ee7093e7eee57b952bfa9e19a975c562d86b174b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe11d42e597b0e5c9458620f0d5a4221 |
| SHA1 | 223c7bcaf040cea317514f44944b02eb5c98751c |
| SHA256 | 04a96a52729a72eda1897e9c0d0e44492083b3b02a1c3b594e3afec00cc6433e |
| SHA512 | b699195008594aa5158b34d1f60547e1995e915d50c20ad355e8e8b2f5cbb43cd59ec8fe2e42a081f7d5271570225c03852edc2709fc1ee05dc4963f4d3d35fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 221823bae187469d1e931206afef700a |
| SHA1 | 930260b834c1d556458cfba89d8f1cdcc0b6d623 |
| SHA256 | 5dc4822022bcd6ab9e074f7d1610c15743c2b28218123f5943913553aac74c8e |
| SHA512 | f6dce4ed998413b2e358e415ece6f0ac7762c7cc79a09b47e7c8afa88bd28353192e2f97e5205f6e5434e83500aa109f9418c7619fc9e80a9450546ac81842af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0518dadb3a6bf70839f99b0803c62d38 |
| SHA1 | 444a504fae4d719322e067d72c86cbe595090faf |
| SHA256 | 8ff4d4e63ed01b6540d67a1008ba539fe7fc3bea6cf7474e576fc8ce901233bb |
| SHA512 | fd35c98ea47cae82a9adc7e3ac6224c290f9c8399293950ac7c1d7e3b4ac4e649839b83189938db30c953c9d9c71a37ef3290052ead09eeccc0513dd5fee66db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70782a1324efc5b31e34b12afadac887 |
| SHA1 | 9725e41dcc1235620e64db99dbd809ab6a32828e |
| SHA256 | 8f14049d521b2b5a6665c153605ff7872a0e202719a681c6080a047faef7a428 |
| SHA512 | 0e6702a2def1049cfdb9b61b559e42083a60149128d00252d057a6b4f3ac69ec0ae435a2ddbcd260c0973fd12cb8ff0820a3c6d407f42f84c1c44dac459e39b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 954f4099b3ec67a7d83aecff56896b4d |
| SHA1 | 5a5aed1f2b83b3fdd833df54977cb8651260e0d5 |
| SHA256 | 055eb41862e3d17d6d53510c9b399aee10f3c1744e5d1313b3f5966cd9c43e14 |
| SHA512 | c0399a1ca28aa8d4a85f31a63ac05956083ac2241a8b0690e6d93cb05099c985fa05d750098f3939287e7ca53a76cc20ac8360e219008d91458c1f6af0a7c4c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd85dff54ed8f14404bf2055fe419119 |
| SHA1 | 1339c71f3cb289d55b0bc46a0b867087c9a946f7 |
| SHA256 | 1c4ef5496e4dd523b46cad75464e70cb88f640b307678566b4c495719fb61ac9 |
| SHA512 | d4c4bd59c8a7b15e9e6cd882f33def6ed0816d0152508fa4e7c6b70da8eb7cf31945a92615047af3aaa9e5eb624c29be28f88b6d38442da1935a1667f6524606 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c3a268c4cec8d21288ffa05bf6a9dba |
| SHA1 | 2bce30a56769adf751b5a1b991bc981ca013ca9a |
| SHA256 | 10e4cfaf0bff6f9a3e3e4a75200b69474b157defe581c8f864e99af97477e50b |
| SHA512 | e3a583f2e0145a45b7f7461b481514799716e61a133add7bd4f231d0446eb46a7e10bec04af3a33d113b0e4fe777324aa4b0a8522a89c071c16cc4a119d62865 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2b1054d39454cf1dd000cdbb8313f92 |
| SHA1 | 75901558a0ac9605d8b9be9f738b7c802962df7a |
| SHA256 | 5fcc667f3baa4d464bd6b2110c53b6c6adfea14a15ee0ea4d65c64c08457ff5d |
| SHA512 | 9f885dc2d841c60aacc884c37e322cc5ecccf8a22441482d4d481a7cbbefe5bbfdf15ed9a4bc2ee6e47994dc43ad29adeafe372bab0c5bb94b8ade7400ee92ed |
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win7-20240903-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000549d7e9a22aa7240a7473edb6123189e0000000002000000000010660000000100002000000047d3980c0abd6903ef2c71227340f698a909d543b51b00bc92f6e3d70fe0b0b6000000000e8000000002000020000000107b27a13b4e397baa5c40982ae892f97ef1a0b75ba716d7f04aa566c4f1939990000000af21bd2a8474daec12da4793670675c2e1206801f518969e9a5c17ca57a86c2a8c282da6467a8fac65e992565f4e164930e861242e41132752b03866cd122e4bb133f824139dda1d14e9df5684f440cef6d65cab53dd557b5d6ecd3c1a3a924146e61afc13ec5e9705f49cbc555c2a4abfdabe30d1f762f4f9b9c97bdd4f122bc249b29073477a0091f31cad43594f7d40000000e0e8afa22af78aa2980e07503d54148296b81e00ef2db737f45b945494048df0ffe4f1dc0f934e913273c0ed5a006aa874cc5beb104135e0e5c84718df6a3080 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000549d7e9a22aa7240a7473edb6123189e00000000020000000000106600000001000020000000a1506276b1a0d1dafb903b8ecbe3485fcbbd6978a447c3175a711ee199568791000000000e8000000002000020000000b3ea7a154b3517021532be6049f9333fc967bf05af0b86da85e2373de369ed5d2000000007711fcc826982d8a527500e1f23100d89fd2975852ceb64480c557b5b81274c40000000623e53b6f04533e32cc1ccd241df963ae360458f887d2ca59336d1aec45083056b49d2c0757d79233bc190d76e5ecff3e02daa8b7ddf4dc25096eb5a73d97eeb | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c494bd0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8E1C971-BBFD-11EF-B40F-EAF82BEC9AF0} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550336" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabCDBE.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCE6E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a6e8bd36795b0c34b74f4e634d393d6 |
| SHA1 | b3ee1d9c418afcce01df1231e90cc746adb4f75f |
| SHA256 | 8c8ed2553eb740ae9f765682030df6ca6f3471649b748ba1c98f0c770c3ae4f1 |
| SHA512 | 322080c257fa2bdf608530d254759e618299359da9a59bf2e4b7dee88d483808935e91db625cf19cde9b803b99d310f3d3bb88c84282569b269f81b62b407d40 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38c05333a69e308b6dec55f2a724ed1f |
| SHA1 | ae4dbd64eadc90673c99578a5764d7a9ee52d6ea |
| SHA256 | 1d2be419151f99c47a2c0b96b1e8c1e592129810c2cd1ae45a8dd42fac321617 |
| SHA512 | 7b6a3baf7a708ac63025b6a487d4f7acf320dd518b9061cd41d82ca294b2766661133505f8c070d48787644b8beb661deb917da20ae6a5303ef735612765c2aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2840b44821b9ecdab846ea33aeb4005 |
| SHA1 | bc88440f41d953a37ad3e6e778a627677adabdd9 |
| SHA256 | ed4577712a7d38c4fa2083a47a54598128e14048ebeebf1f127f5c0d73b614c0 |
| SHA512 | df9478385644cd13a5ab06ad4305a5d937411fdbf0faafa54229a2da1e5279371a97c3ec8f03421915f8367dda7f82dce2f4e1d246555d10752eef0948c1b3f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7db989cf92f28ca45ec1865f2371fbca |
| SHA1 | eddef8b40dd15a63a16b73f00b1a7f0ac89cf235 |
| SHA256 | 05ce892dd8c17e536fea6594100d1f3c460d0157002a328532aa60bf88618f77 |
| SHA512 | d4a2dd50a6955ccf6f9313561f5618414ab37153ca1103294e534eb8e99e01adff52367d38647eaef8cb26b2cb6e3b298ed8449b5655ce63a74dc3e6cef422e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e1a6dca961d6ec57ba62b92e20edc60 |
| SHA1 | bdec184e04537beae63baeb5ba8f4c8c94ba80ce |
| SHA256 | 073324ed3f5946ec3718d62a6a3068aa48b2c383682f437fab67e3390bed9edc |
| SHA512 | f2d99defe309c5531ccb8519820b4e356d7618f8e5e394b65715d5dd03ba729c31b460a6e9ea91cb5056f06481f6664e0ad314273ffc3e06ef03bccf437943ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 885a28727943b8b93d3c2669253d90bd |
| SHA1 | c3b536c569f7399481c57a067de8a8e1c07fb027 |
| SHA256 | 405d49b949997d13ce9696cd5f7dd2ea161798e10bd776853b21ad7d58fa56e9 |
| SHA512 | cf57d0b5a8d5aefe65c46a67170ed17c0dc726e421b6569c395994e97c982df604a75d380d905d9de852c841f5604c5e5d2aa2bb313d9e775159d90825166b6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bff8448c934450d365a8b220332c5431 |
| SHA1 | bc86be648bb5f5ba24467737109e9529db34d950 |
| SHA256 | 018771399fab39638bebd9d591dbd31c9b725a03d0e086c8fc1511fcfdc2e04d |
| SHA512 | 0d3d66101913b68b8740b393f03d3dbd9024728fbd5e0a0353b299f8e45b1833bb16e42ddc2e5773e6c6d3e17dfcae7039ce6dcc1e372c5b34544b28007f8ab4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a30ad210f7cd1ed511df3a925500717 |
| SHA1 | 0daba2508ceba2a167abc572ed7d840a670294a9 |
| SHA256 | aa9d8554e1e399769e21ccc4025de181e5f793d47cf6a7833ab03b1d1d0204ec |
| SHA512 | bd6055f4d71236c8bedc0ac6efbdf77fd3848e4ef8d714ab52c1b618f2fe18eeb7b32ac03a0817612058f237590ff61cbf9f708ac9add45b5ebab684a395593b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19439f50577aae1cded59f6f671d1987 |
| SHA1 | 9d4806502cb28f006c488be33db7efd556ee9c7a |
| SHA256 | 246b464147bf68b374b2e51cc7dd99e6fd28696dd499e4eb44b889f2c2a02497 |
| SHA512 | f67f17b127a878082b04a1e36ab075b171e8598afee0cf205b19758b53b9d6b8a3d362a15412f9bf319bfdc2562ea365c16257e4787d70c512b78d77452d900c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdd867f9e4ad155e04589377a926bbf7 |
| SHA1 | 8549dc9e42402795e4502368663ce4c924c0c2ba |
| SHA256 | 1f0927962b813b203faef929e526917d369da5dc10ea8a1e0cb8f9c01e545c53 |
| SHA512 | 4b17e52bd8cc63ca71a8c1973e39dc2a09bd2bba09530b07b654e3f325c6c68ee8ec4311cc1ffd78560240d1bb6493d8d7477c89d3d415f4c63a5aa74c3ff5c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e890ef1177fdd45da3ca35263bd8ca0 |
| SHA1 | 5086e2baa2fb6c5440ab0cbe65866d11e312ea42 |
| SHA256 | 8570e8466ca55b14fd47b19aa9bc22cfc7df16247905da36144bb4cafd7f415d |
| SHA512 | 54198d272ccc8f557069e9e7318ebbb118b0a156f586fd884448b1dfdffc7c1f2812fdb8e2252f2388b91d0161d73ff6508bc27a6c25ae30c01876e21b4e1dda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d8c34c774cacbb3a5957886ea538e7d |
| SHA1 | cc956d84211347f7d0dfb2734eea6602f18ab0d2 |
| SHA256 | 86e04f2bf7bff0d6cf87fe05607c341497ca6cb26c6b3d409912ac787d5f1f10 |
| SHA512 | 5c3e6a7549588d92f5ed38c9da1d94381c544d682c627a6dff72a6a4076b783bf7cc93ee7179d274f821d2dcdc7aca18b31f2d73989725c13522a132cce54e97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8042efb37211701c960bd73ae8c05bfa |
| SHA1 | e0f94227ae61b70a6e850533943752b4b5271c7a |
| SHA256 | 056e231dd191d080643309090e4979af8ff6fa4d9710ce4881aab6fa495283cf |
| SHA512 | 24974da8e3cf9173bd1584b25fc0ee4ead02da96effeb3f29703fa6e966a62716bad24a4269169f7ed604a100645d8c6e057fdec0db81eca72341a974e95df97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5be6e5c6238bff864173773987b003a0 |
| SHA1 | 4a375372ad629817afa9ec0def30b207aa13f98a |
| SHA256 | 6eb2bfad5fd9c7ac1c01b82ec3749cc93db127edf405f2cd4c8c64c92dd714f8 |
| SHA512 | 1b3ab5c4e2eeba17cf07dc72bcea023003a559cc405f8953f731fb5ea0fd21a79b85864ff3e547e5b7c5d317f2788589709e99e7fdee58e7b51252c0548e6cbe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2ee5ca55ac4848816ebacd2e8720860 |
| SHA1 | 5d0947f133e88f4b6080cb7d075edf63618ce514 |
| SHA256 | 57ada04a7846edf61488d0d9faccdbf3bf9133a2fb6fe4fd864c1e78e19e1cb0 |
| SHA512 | 376f47fcfe8ccc0bfe6e4afd5a7ff0454335723ee66b158a887a48fb48d98d86c165a723cebfd8d75bdd42e9c7ba9bfd71b774811dd25247da83b7962d21215a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf1dd171effe9ea0506a1eed03ff7aaf |
| SHA1 | 2a3d00ad40ed3e3a83a53d01560748327f96f46e |
| SHA256 | 280ca5a56922493782878c2b7c1114962099eb77e77e63e5555a526f364ec851 |
| SHA512 | 95262c828b7207b94e78ea8846d590a6d6a03aa1233cc2edf46e0b8ee0d74a6871e4ea50720225d380de420cbb7b5d8fc02f115b117a7fe694273fc046ee90b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69ff56c9b50c6df69942b0744e7bf550 |
| SHA1 | 8469033827b0c98229ca08f0483372ad0c0e5def |
| SHA256 | 739ef29649cdacba5d6197f18bc5df18851455d5ba1e496f02abb55802bf492b |
| SHA512 | 6e964fe077fa10befaba2f050cb51c71014a1bddf050ca5977b097275c72541d89572321d87e2723169b1ded5511a93baaafe971f4b2e3e29f00a2fe42c62d53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6306ceff83b7c16fba9909da7b69efeb |
| SHA1 | 156540f3f3fc7e31b13dc775cbf148ede71e69b0 |
| SHA256 | 85c6b1c66143a7335315e274977fb628a7405b2d9d61ff7e7cc4af3f1ed90a12 |
| SHA512 | 0c72a87ab62fe11aafc9dace104c8c3a24a283cedbf8205468b09cd95f4f1c7248c46708f3a904965f250c2180b9c7f0c1fd3132f7d8051922cbba78d423ce32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5df6278c9ab8acfaa1189a218979af3 |
| SHA1 | 9cc99bca77aaae4ac09146a275aa223f85c4200e |
| SHA256 | 49d789c986ee0101c66df43f387afa7181c52bf63e8c06a75d89c919369dcc56 |
| SHA512 | d8584cb4b38da43b53e4ab2bd6092864a5cae3c6bb431ee98164d801e3dfdf3543ac49eed3d4f3e2b3f0c370a37a4e6c9d30dd30af744e791ba4ad8c381e2639 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000222b7449714fef4b890928982fa9eada00000000020000000000106600000001000020000000fd4d61084b51dd3a2da7000277a341005319917c1822fc7c928c079891babbe1000000000e8000000002000020000000b988279160c97dc78772d8386d01e3e4bf247c0a6f2d6de631f2cdb4186cadda90000000c62eea78f9817921f583db764af717c5e7f6af48cccacaa118bda84e481ad3aaed657d869045b944f9005c4e57cd1005a631b96d3b75b99aa70a4772923eed84b6e86291efdab6451f80bb0e76be6aa32dffa3ff7430d620f12d999457ebbad14c305f98371b57308ef17ad0f1cb116d7d3e1fa86e461651d8bfefac1ae586a2b89362b9c9d92cebea0c924e7722cb3240000000597a6546228a22259d16d4eedf1ec7119876969212276f7b1de5083995ecfb10ef43cb150eba1d8992997f256070dfc7e68cd87aaa951b42ad3f285f474aa7ec | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1036c0bc0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000222b7449714fef4b890928982fa9eada000000000200000000001066000000010000200000009f30830c6a2925c6176b8138d40fdde0d040731e62eb7906470b6ee4659270bb000000000e8000000002000020000000e166299964b6e59dbd33f40c990756da421361c985eb205d7b26c524fa435bae20000000bc8e222a8125cab9806781b28d4e7a0b3c57f95722c8e9f3e9c56a5430a9d9af4000000083203bd3ba8dbc89af4b519ce0c4ba6801012be895a5385136f86e321f768cd8de9fe22df60c63b24c2b0c87dc980c88e2a2e429963c909d4a1f3fdf8becb0ab | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E830E061-BBFD-11EF-949F-EAF933E40231} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550336" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Threading.Tasks.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3E9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4A8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18ab01ebd7b5acd601ab088b7af3561e |
| SHA1 | 05da0fcd31bb1b09a9491376af8a179f4714fd4a |
| SHA256 | 51c65d87c3d7458364de704579cf378b7640cc16470e43e291ee0743851afa2a |
| SHA512 | c9dd4fca533b29b40a07ecb3dbb2e142981bd80c844bd934f5529cd38f4456d2db783d5466987c923981958478ab43f7a59094181e125015744cc6c90dc1cc93 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07b78b274d28b41084822f1833f3d1cc |
| SHA1 | 47310472c1371046b8bbaed9e29b6123f56b6dae |
| SHA256 | f23bf8ce81583f98893c8605dbe361ee1d707677bfc8e5f3b64299708bde5f67 |
| SHA512 | 30e8ee8a3018d921c5452b8ba4d25100993f94c9f36eb8c6c3cf898f69850c3881032f3258ea36551ac1de68f6245322b12615f832d227e051c5a5ff629432a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f3ed729924ed287bf4c46a5607f9a94 |
| SHA1 | a3a753568705b068879ba53cf8519e190c6a1e4e |
| SHA256 | 72a6e596178cd6ca246bcce90557ae9186b6cb95ce22713895e83796f31a869f |
| SHA512 | e86807050983c06af7ef72aa0f720780afc53ae70300942fedb715ce54f6c0c4d12503a6d928ced5c38ae5c63c51067a5e78da43bcbdce27b5aa4ba7e2ef42ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a07807dce4a6407e2403fd0a98e84af |
| SHA1 | 3672f639191bf8aea6948eefa63a276ae552e20c |
| SHA256 | 4ebc8130f7b1d9ec527377fb5de4c1a9f70af325d3f8a446958ec5ca42ac88e0 |
| SHA512 | 30fc9825b4a40489359d9b39c0e0c8b2be14fc478debabc704474c261a2db2daf59c90fd7b63a61e44ac00e408ee3715bb028cb6e6627f3e7ce9714620c9d5ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18f0f9334a06ee9e8277d775cae68d66 |
| SHA1 | 5cf142fa7c092f4d434875bbabeb8da0245e9cb5 |
| SHA256 | c39238b46997a00dc8a1231e5321ca8bfe7df10ecce1b72ef4715697023671bc |
| SHA512 | 8f4a4b2f30f0cb9b2768c1a90989c5a39598c70d90b489cf058dcd9615e71d5b8bef0683e0e0ca66396f0ca422362f14890c84e752b315604f244ac4b64d474e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a15a3314da10c4b44177131fb80f3989 |
| SHA1 | 3cfb153d2c7a6234567d522525d224afd07c85e6 |
| SHA256 | 594964f697deb41f4e25ca9576f7598856b04615e00ca9be26c1c46590e05f37 |
| SHA512 | 451d8e950d45431910ce391d98dc76d55183db920ed961b4d6411abcea7a9314377e21fc186e097340670c3730d8399a94b0a872ecc78003f37d56fee349b31a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5bfffa402bb58475c0eb747f9dbc0b41 |
| SHA1 | 45afbacf2d094dda56cb629b0af16d08cd5ab0c6 |
| SHA256 | 7f05bc77fea98fd7d9fcd9af5c513636f1769fc94261979e170d96467e45ef3e |
| SHA512 | 7fa33a72a8af0f752d9c51d35f3cf0d3c4e5756dfc83c03a1bc61f61c25d5fbafb97a71c19ea700e323553c37a24c54616396065eb182b97fcd02d6d5f291638 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e27b3107c249aea84ea79fe1960b9e75 |
| SHA1 | eeabcb6305ca59643f2428d0d1e677f1a98438c2 |
| SHA256 | 2141fe5652436ccf6ba9dafed5e4d5c6f1fc43cb7c0ffab0270f13cf43c74fde |
| SHA512 | d3030de093988edbb78084073720bd174936c45e41d120aaedd50dce01e870d7b5b64b8237e8b930ac9c836129204d32e401851cfacdfc36f4ad1e5c46913852 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd52c92847ac910ba8d3078e4d90e314 |
| SHA1 | 15f6c646022df9b41abfd5f0563831a553ef70d3 |
| SHA256 | 8854fee0f34e9da81b7e481c53229c1e58ec9e60fd8561d4be6dde70966bf0df |
| SHA512 | 751e69583f650197a55f6f23cf38fb044f1d94fb7d323d68ea74fad1927bf4baf9b27a14e8e4c4d39baa91b6f403adba0286aafd17e523dafde8934c1ce76590 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e079c9333d44ae6c5bdb042d178b105d |
| SHA1 | 4c3474c9d3f54fa1b8d5c425c384dd3a658320ca |
| SHA256 | 4870132f4ae98be7c4f850f16262266bee5eb609e53d4c49f8574859561cfa71 |
| SHA512 | 6f02955bba4fc4af09b5f6b7657da2002d6134ab847bc5ccf5ee8ca28658050eaf5c550191bed6a645879d1dff3a761e2fe41c892ad94be0a97712662af43cd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4aac18d6872da82f816f99a2be0c0f82 |
| SHA1 | c8982b4b8cf691e466d7b13ab4a9fc0250e44543 |
| SHA256 | 29e2da8efad1823a22b5dd9b01df0a3eb35407fb41a9aaca1f1366a6bc30d00a |
| SHA512 | 04cd5626f4206098c8c3925d9d0dd7a5a9e0856b11859f72d3da7d8e119bc85806ae0a91b61eb2adcac4dc3c332f53a3601c310e0abe4a9390b0182bc9cdd8e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de987200f44a733946f76eaa533cbcc9 |
| SHA1 | 536d0d89a9343ffb3705c49f26a44afd3fd186cc |
| SHA256 | a4b638d549473c74af18ec137f60f0c217cb564e3e53e3ebc491e944da609999 |
| SHA512 | 810f99046181c614bc651157f95507f29fa88914688999eb86c0f47c0d82212e2416c425519e1ae5d24ca3a9f8d5b7ed99fc76dea53c8b48e68e74bb42d55833 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1ccae27c7c7fff4e0f412d3123306aab |
| SHA1 | 568712c1397654c6670ed416bda0f6e8908cf335 |
| SHA256 | b552073b859e86072503c716ce995133dabc2a755781effa275ddb274e180069 |
| SHA512 | 583087852454e2c5dbb954c9857c363da5eb3064caf85490c39c4ec91f6e6bc5b7a113c81729b717d54f182259e0d12eb4ca3a1ae4ff34e860b4b9f218ff76b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4002229c246c66ddd7d8e9c89ba774f8 |
| SHA1 | 9f2a44e8c8737735f1b737f186334ecd07015708 |
| SHA256 | 5842a3b4405456a15b280f25dc591d48e9d0c7324231675a58aa2a12cb3ba59f |
| SHA512 | ebf393019c9b6e6cbb992716468fb654093e90ace4cbc841fd7372bd38fc9d73efca7c667b3ceaff5ce52ce82e1c2258613bcce32b942cd5fb0a792796258951 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6258c32e75379c1c5b4b446a39735c1f |
| SHA1 | 8cfe8bc2f809665842b9431483f901c87bdaa53e |
| SHA256 | 8859b7af9cea0f4bb63fe6fd56e372fb75709805ca9e3a75dd987affec631a92 |
| SHA512 | 0d119304baf45efd4d67ef113ae7ab20779d728db3a16e3e3bc431208633d76085db6e4a3b2a34ff34a159406c7aa80097534dfaa94e03f2eeffd60e7ebcdd50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 375e6de2391c888c2f81919eb1279ad3 |
| SHA1 | 5471eb5adf34dc1510347627e8ddc9a59c041d4a |
| SHA256 | e60d9fcd5d37abb34320c992cfd0aa2405dc505165c494daa4034079440f7822 |
| SHA512 | 87d680220b42cc71ec52c7fe74d81ef63b3584ef8c9aed2c9927e055fcb534ea8d7987be0d4df24716ff28d0f91b7b91f6e50c3f94f43269e3c7b4d6c13e0424 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31f8d56fe675fa731171f009d5a74b3a |
| SHA1 | 8ac8c1b17a0afbf67468788ca866362e408794d9 |
| SHA256 | 25f6e67fe878b47a4ce76f95f3db0e576b0abfd73f0a8da06dfd423b26c145f2 |
| SHA512 | bbe3c95418e0341acf4472aa5a20b207af3f88d2099f4ab94c2904887d5d16cc37514573f3ed47f753c1466006516cb8235b017e233c67d3c16a94febf926500 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
150s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
Files
memory/2752-0-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp
memory/2752-1-0x00007FFA7C9CD000-0x00007FFA7C9CE000-memory.dmp
memory/2752-2-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp
memory/2752-3-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win7-20240708-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT.rar"
C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe"
C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe"
C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe"
C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe
| MD5 | 1f47b14658e28812b452ba2059df1610 |
| SHA1 | 5cd43eb9f52093b3d27f6d41d016bb9bddd9bdf9 |
| SHA256 | 0d5a4541da4b8a9613fea8c160596ad697580c8f5f72e4e2a5245f58e67e7803 |
| SHA512 | 2a26eaf4757a938a5335f5a5164a30aba3eae10d682ba2d6c5df934288ecfa5ca20672205c86093c33aab7288e0ca40d18606761237ab9178bdc65e13165b807 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4708-0-0x00007FFE54850000-0x00007FFE54860000-memory.dmp
memory/4708-1-0x00007FFE9486D000-0x00007FFE9486E000-memory.dmp
memory/4708-2-0x00007FFE947D0000-0x00007FFE949C5000-memory.dmp
memory/4708-3-0x00007FFE947D0000-0x00007FFE949C5000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/1756-1-0x00007FF8EE92D000-0x00007FF8EE92E000-memory.dmp
memory/1756-0-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp
memory/1756-2-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp
memory/1756-3-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240903-en
Max time kernel
117s
Max time network
133s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550333" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003effa63e9c871f48bcc98ee4333611cc000000000200000000001066000000010000200000005b72fc39c176b3c9c90fe2fe4e1ffb373828f3e05f19dab1141e9419e3d2ed3e000000000e800000000200002000000057a29032a16d9c974568258ffb16185e3140e9b8f12f2eb587353c22afff510290000000ffcfe8945af21fe5db762b413a93f3d464b3bc385472d329cbcbebd6bf2260999ac7075e9ec7a841c028e3e47f2264798a83c7ba0f21d28d474db5c5080da4a3140fdb7cab4c7912ba5f7faf4e477edb73157aa9f4f4f45218e358a273d4312967234aa4febfb186b80e8529002361aa440ad9d673b1767f599d11535323595732af766e5a660e941c4d90132ad74b96400000000b5bb99b08890d6a3bc4e370c3201f16637024bf91c640a8d1348c340c02a668fae3113715fa0a78eb5050dea094bec42a629128c9c491fb104d16d674c4c1c9 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7C247E1-BBFD-11EF-8778-C60424AAF5E1} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003effa63e9c871f48bcc98ee4333611cc0000000002000000000010660000000100002000000070f847667bf7b2c3f7b6c30aefecdab1d84b27ce6b564a6309faf14536735074000000000e8000000002000020000000b129b06a592848319f0d0146ffedfbfaab642eac3d444360c47b74bbcda848a5200000006ba111b73526f724d87c1106eea52f99cf7315e3820e2fdc8b08d730276b9622400000006f2e81e22df5c0958d2c29623868e9e2d5c8fadb74991fb8429eea44023c878c31c2fddf4b254a1f299b64bbb0f96271d06cff1eedf9d16566ad0a56b27e952d | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02aa0bc0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\ICSharpCode.AvalonEdit.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3084.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87d2517a93ad1bbb4ea2d4871e9834ff |
| SHA1 | 7f8d36ab9eab73989647a9183179abffff7da690 |
| SHA256 | 75c669e934a224aeb78d66677864eac36ed9686319ebd634cb0a1a5b102a5d55 |
| SHA512 | 7798c3b4d335ce34f7972841e805a0c0e2c837fa2e03f06052b7c01787bfb72088086d2ef8bd0c68257b6aadecab45fd55fb000af9c96d42063e354a1bd36643 |
C:\Users\Admin\AppData\Local\Temp\Tar30F6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 342d18334b696f1b6086130dd6406349 |
| SHA1 | 3a9f4f2c3e5163b1a3bae78be27aaba1b627f5b8 |
| SHA256 | a08378f018c95e7dc96cb8023bc1819d4f44b9bca1bcee74106d03291bce3019 |
| SHA512 | db09214638b44e52645cd5cf6bab5617b193b870324135dc24e250fc3576e9feaf65fe452dcede8dc3cb722d540797579f0a52ff801950e10dcb6b92d7b4ec3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b64068d4c17a179ef6cd9c8e2073d94 |
| SHA1 | 9de6812ae73effe4a63f68427c3d8bd79f5e7385 |
| SHA256 | ba9b303a947cfcbb78993cda1faf5bd1ccabf57ebfb949aaf207ebe4d9faa1cf |
| SHA512 | fcf162c8aee4acc8c897bca3869600e794b123d440603121e0177219dead51412c6d4200750c91a429ae96b85d2977f2c99f393b2bf5992b055b91cb6ca66ed4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f78ed1c723fa929c11c8811a997639d2 |
| SHA1 | a64f2d2342668b30a013b7716430cbf54dd5c5e1 |
| SHA256 | 4531518eb305614b01171fc46c886239b54e19fce3ac0046746b86d830f3def7 |
| SHA512 | c02d12190ddf45332bbc26d8f8278d0288e78fa9be6e6b5ea6055f2482ad98d9f4c1bbff5f1209198fe9214bcc8d39d51adf380553e85d916ae46551c4c9d4b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6068565153a9fb49b2e741c2f5be052 |
| SHA1 | e307f358b49f5d9628086cea8fad771b779fdda5 |
| SHA256 | af7b550a395fb60f9932d59e5eb80016e579156e0eb500c0def4575396ee362c |
| SHA512 | 68e5106a9eeef735f6e44a05f73ba932418970c2aa5de9a8ff54a6d5eaf7f82503939f6ebdbe4c8c7dd9833b1f08f28a518d0ec577f7361b837f6ffb2674ddb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 21253c6d81aa911394a5971c40a12ecf |
| SHA1 | 6436922c7d5975f5c846b24e0810214c9660e323 |
| SHA256 | 1f97bd1b0efb61c42ab28de0fcb55fe227701c2fef8c399655e71b2253d826e7 |
| SHA512 | 6077c79f9af876de02ad243441f94d4cb619401e63f7636fc5af343b93d4d680f17d6ff964acdddd126932d8a947d8624a91afa1028199c2c82d289a42f9e08f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a178d6c5f37d464eed37e0a14094375 |
| SHA1 | 3870b31880696f10439f3eacaaae40766e670671 |
| SHA256 | 1fbd7dc4e9a1fed625bd6eee40b1aaecddabf5462629879b1dfa65ed6b92c792 |
| SHA512 | 5b5cf0e984f5dc79e04b79bbbf95abd5a6fd512d2d7aaed6cf7aa7501b8948e9ff4292814b5c218c1066670c0ab59274f0a09784e0f2792e50342b11c3f0018a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8070bc79c2f98cab2098e19759919723 |
| SHA1 | 3bdf92c4ef0dd5ba97d4185af08a0e17f05bdf76 |
| SHA256 | 074cf6230f67485e0ff3bfb716b553d93c9bd69343536b0735c93bba4304a5e7 |
| SHA512 | 8b255b1691bf75c7c42e1707471983f15e5a7963fa5a2f73c87f5704268d74d9dcdba1d58edda9726d7dc27409429812566fa1d822fa235a55bbc0fda924126c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40af10bd7b093029484ce6706c813640 |
| SHA1 | 2c72f288d27dfd89db9d6d408dcefbe5412e0c7d |
| SHA256 | 9faa69077918c6eb956af15ed116307d04d564346eb516bf7e8e7d4041068c28 |
| SHA512 | dd4b705daaad0f4a2a59b522da235c6ee632fa8f33706365a012819bfd051ed3dd1487b55f9515ee3ab5218618bbaeccda6a959b940c17259829ec8c18b4f88c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddc24c2f90804c42e0931a595f692e55 |
| SHA1 | 43f3101e5d4e290faae307b188c7d8e21afdb4fa |
| SHA256 | c60cb267f0cd501b80d8ae9bf546b9badb93ebbd897381223a26d0dd074f2440 |
| SHA512 | 9ba31d5aeab050feb1050a6eb217b6a64d7843d8055640f5840d2571262f4264504b05fde4cad560b805123d0416a697e991329a1e9162a25eb20afe9e461085 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5634c8928e28e2425ce130b6d2b51f3 |
| SHA1 | 36348564ce72634188b3d1287161ee4e72a971a5 |
| SHA256 | ed4d8c49a55ecdfcc9270d95776d2c5d901aea8a9b44cf95673954527bbb5178 |
| SHA512 | c88f4496acf2ba0f70c252d51043df7618292183816726e28c2c1195600e85a75f1b54fe7771e3459a78d53b52ab1916b09b9a90b1a8a7f7459d0a8f00f8fb51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b90ef54e3cb90020447276a78f149f0c |
| SHA1 | 5fc49bea1b7a203dfab647ed9b5b1cfce622775f |
| SHA256 | ca20f6c925c975052227b05b8917667a0403feeaf7f65f766c58e7ee3cd16e39 |
| SHA512 | 0be33315ef9a97fffb808c9d2b3312a027806ceabf6a67bebc9d49f1a2a73a4864d826d721984ad4e16e3c8f71422a859eb7c71e20fee262de859c15bd5e17df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42297cf2511b59253a8dfd5305718858 |
| SHA1 | f78254b3bbbfb8ca26b13784855a0c8392f32cbf |
| SHA256 | c849c9afd0297995e56d5d5621e8b6d31deec74937c7d401e564a9d0f6990257 |
| SHA512 | b75b6e998abd1c4ca6c77a0f92a51318ddccf1045d46c5de050c54f0b8a7491a13a04a7dd18040a383b2a2e67ebe7065bc18b2a4fd528c51641a5e710ff6a1d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb1d5ccae5dc4346a8de5c44f444f0ca |
| SHA1 | da47b82891b811f49187d8b3f4a48e2c838e65b4 |
| SHA256 | bcb9078739e5608ff18d053b877c20f14823e37bdde2f1a04089ae4ab39df023 |
| SHA512 | 14d33c8dcc66911657c8cf88dfe41a5c2064bbaedfc33189f665716eb70cc76347902dbd5db5650fc73bd64bff08e8cfa88fb2edeba7f2702f1b28d3a256c06c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9a3c8bb791936fb4bc2f84c4152d315 |
| SHA1 | 07a09d7403fdac58fd6bba3049e6b60397e20a27 |
| SHA256 | 2b017040882be3066469f1bd890d71f7499bf78ce74a58de61aac244d378c783 |
| SHA512 | a0d087f2da694ea926c2eda58417a99b959afb8ba10d9b731323826030706000088a0f60e6f4c2520af7af9f0a79b9a5d73500f41b54aa193d5ee1121e232cd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f592451b91c3ed53f6e6b60c8c9559a6 |
| SHA1 | e183fb3ed8d7dc5ead62104212683c41b9dc18dd |
| SHA256 | f8acf68187ff320cabc8e5ab64cf2089b48d07121dc57a03bbfe303c3beff0de |
| SHA512 | 4c019151df001fcb287504e140c19954bfe1119a8c75a215a8c6a4cf43a4cab76d211d282fb238e5a2a9356a598a0932152edd76acf40e13ff2a40e38181a177 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9eb4b36bb7cf706998f46dc93e17b929 |
| SHA1 | 6751725758f48f53f67fab5cd8c5520083716886 |
| SHA256 | 658b664d47a6bcabf2130df3050995393a29ad5c737dd64672245a14ad46c737 |
| SHA512 | 9058662f86624c4f8bed0f550094712dc247bf7d42209bca1d4cd97a825f0ddd10c012d904e6d58f2edc72b3d68de2eb1aed86aac0186924018c8ca6422fef4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8612ebefd22fc6ddce071ad792457df |
| SHA1 | 740cdf7c01ed25ae8148d45ec5f0900105671287 |
| SHA256 | df2e40eb3307f407f6c87cf0d3a654ba90a374b42207b1751f1e26f2cafe3ac8 |
| SHA512 | 4c361ca6561cc07d8c1e202990f4198c9425cd599862bcc08ab5e5e7008db5936872ae1a52f03e124c743ed45fce986bf54c799843cbf773034ec624960455ce |
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:36
Platform
win7-20240708-en
Max time kernel
134s
Max time network
131s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550333" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7294401-BBFD-11EF-BF23-EE33E2B06AA8} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506402bc0a50db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b7f65798e85d04b8d2f5a1126d794ef000000000200000000001066000000010000200000007f5fe10be7bd87c62e9cadb7c3619eda2e5c45a8a51675c416f0074845f94853000000000e8000000002000020000000563f73c3564ccdc801de62152ee6a5b8f6d316faef4a9aab3f728af45c4cfa8590000000c87e05a6ad0aee27c62585336d1d0ae257a0dc84116737c57adc8e15020bd9733029aeb5f61ca79d5443564b38df6000f180ff9de3ccc50d2f206f58cdfa227f7ddb14dc590a60a4d8e438858a8293a4172e1007b76255220d33083c4b94593e8e84f2dfc254155caee4652fbfa465a4ddde7f7f6e4a567d364ee02d01925e6891939a0fec46e19f730b9e5929f98555400000002961de223ae0ed1e6d39383a3317e68fff1bfb9c11e84e39c384e37812d82466a03b445f0813b9b85899927d2f869887df9194734de2f5a6004f7c82bf94bb02 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b7f65798e85d04b8d2f5a1126d794ef00000000020000000000106600000001000020000000136c85e8a67811545bf596969004f58b02d47095465c895a34b77891d7c5b847000000000e8000000002000020000000e8a00be1ddf90676a7292b4a753367ded5ddf8acb6a95c4f8164e20a764d53ff20000000a0e8c25b67e56b4fc20fc4fb6ca7efdc23f028eb070def54d89a7eda9348bf0d4000000018b34b52de147c88d529b555a50ade3eca55a8918b9d5699d21f4799ed6b683c604b169802d6a8bf11408d9f2a56fc4c3380441d8e3744f13ea2dbb4d018f46f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD902.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD9C2.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3db626043a9fe07a8e44b09db9f53a51 |
| SHA1 | e6b4dd4d1796da9de16a31d25850a393f1fb156e |
| SHA256 | cbbe352ce45ffdcad23004aee8542e61630d1c05bcc8553c3b828cbd2e20d990 |
| SHA512 | 7640832c1256b35e7e4809018217f8d3927ed2fae2d65b8fd1962205bef58206dfbdb037992e74219f1f82b4b3d1c99ce4e55304c3621bf23c671561c4a7774d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64ff93710fd4c6b477dd2e477a725cc4 |
| SHA1 | d1f42644b099e1f2c991b818ecd2f988a651fb3f |
| SHA256 | 143dfa0d6d8d0f4471e5bd915ba899cb864ccf7ea9a2131535fd2fef882d7160 |
| SHA512 | e6b8ab4e73d33dfa60d73b90cb39e92012d64b4b07b324c4a71770aedac2266cdba6753b2cdbccb511432ced2f631e3e441988494d665d980b476c39a8c15a1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a69f115554956b49bb166df0f70e866c |
| SHA1 | 814d11b17376d3b5dc0a4ec83f0fb2778cbd2380 |
| SHA256 | 636550b6b6840fff9792df3971b03c19b02aae93425a7f060d88eb4390fa5799 |
| SHA512 | 8066db5d87c2b258f90174cedfafca4de9df32166a3610c29d1e86f04794a633959048c8577c844731b4de35810f342c4606464d4ab0326660b360a59f3f7f83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 234853b1f0ad7bd6ae6c6c6c0924de86 |
| SHA1 | 9590748ebb6acb5ca0288f70cb72a2dcc4603edf |
| SHA256 | 75933281953344cde1849cc89a0503ee78c8664bf2ef5200f92463a02cf66f68 |
| SHA512 | 12fae1999e4e18721ba8e0ed334190a16bbf1fe6fe4bff38c6d20e4c15509bd8928a5b4d896d072f5dc3e752ef701697591047ed483bcf2fa2805a16f19d92b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43d43d1d894bbc4a78cdc049a78c2b50 |
| SHA1 | e62e74275b4944b66fc3446712304e60a44e33dc |
| SHA256 | 1aee9acd83fc9c3cb578fedcd01c288c1a12e93be9b07a0440c8f440d14c579e |
| SHA512 | a93305804cfd51ef086d9edbe9e38ac7cecf24971c617fc61b606beae07c6b3537284070068cb3bcbd1983371a2d3a5cf30fe40315b7c1fb08f40fbfdd269936 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff3895a56b7484c7564b2915bef3ee4b |
| SHA1 | 0a216593aa97e9a4d0cd788e1b8884800c80a813 |
| SHA256 | 7ab78103e62e883d4e37c47fa68c153959c264e44ddc2b735e13479d646a1b97 |
| SHA512 | d8fa68838f4702fcaa9332a065fd1c2b3bd72e11c069e216b9dd13eef64a45c3dc743ca4a2f8cf6824c1b091dc35110950e571eaffa0142e22c17f6259698380 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3c51fe47e10e8307abeac28113bb0d2 |
| SHA1 | d6bdd7b52fe859436156f8597176f19b98f565ac |
| SHA256 | e904ff4746f2ec61b723536823ef7f53de743fa1ecbb610e23ec781117407ed6 |
| SHA512 | 89ed344ef382253d52cc7149f3a1ef6a26eae14e10340c34e02501c50f6cfbda52ee5c0e6f85861139c73964eac725b3ded2e598551c7d255db3e9835651a82d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43ee155f2d3589ff16ce65f81c879cd0 |
| SHA1 | cceb01b111604bfeb20d4ce9a173268fed0ac089 |
| SHA256 | a61377b34d29d907be9e650de8f26c56b243c9f7363224514660371e79382575 |
| SHA512 | a518d17248f78de942b22cebf3e8b6d9c0e18a9870608befe5eaf4b41bc0554da3e59beb384b3f65623302e1b573c5eddf0ffcc448ce88dcbc0adef793368068 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e73ccdd22154f7674a3f4867736cc21 |
| SHA1 | fd2dbf1bc2ee257b2a25019dfee65bcdc195d4c7 |
| SHA256 | 5d57370b9322510be65ebc59ad26011e9345f0307401b8b7a01b0226c6b15afc |
| SHA512 | 722396a21d11cd0ee652d277fb76c2ff14666e188f71caef81c78ff40e885c2ee3f2e1a3fc854a1583039c181146c3c7da1702d5172ecd1a32df1acbd3b2fa1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8429672b2906a194139c0d0b388526c4 |
| SHA1 | 98c0feaa4d048a15c2c7eb47544dc75be0edcb8f |
| SHA256 | e0ad82a786dbbc543980a819d0cfea75a1f897d6ea98b551e529182e86275116 |
| SHA512 | 70d3ab0755dede8fe151cf2e2480dacfe234d0d3926c89e1578fe0e8d184e27cb2f41fab412b2b8ea033e9655e68955016e87f3143a29f7dac12d24f25f19876 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb7600e9c4e5587cd937f33cc8faaf2e |
| SHA1 | 2b6ae12e2b0bbc6cb339099dd975867e97219690 |
| SHA256 | fc2ecab141e8735d4edb864c42a75c901fd22ce4fd9d1248e06972d2a3924b24 |
| SHA512 | 1237313183087ed360818d495fb1850d1a728af0d0ef8d9b3f664c3bd375f069f9eb07a67c981c030299c34df43b340fe7721f794fd09544cd38739100fd45e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 119db1551bc233bca7afc16bc88bed6e |
| SHA1 | 49417aac04c5ef289acc727631658f01a4bb4159 |
| SHA256 | 0e9f502055d8a3baad7e93205e7246911ddb10f34259ab1bb2f091bc9f6dd8d5 |
| SHA512 | 791b849ecb25c1f4a23af2bcacb5b3763c1344cacda3bec8c06b0a8a44207ce5bed88cf5ea80b434eba712fdec43d6d5cce7103f242bbe467a1880833ab54ea8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3bb782bc906ddd6f0064a3881ae0260 |
| SHA1 | d3abea5a20d68bd75b442f18c0f47d77a5d8a42a |
| SHA256 | 6aaa5cbc13780cd6e65f690dc3251b96b2f877a9e0b9b0859ff1eccb39ce2f91 |
| SHA512 | 03cac63d7c9ae0ca4f15ae55397c2f9e3ab6a3c8257d615740767dfc66f67f734b7cc0e3d515af5985ea2fd70741109156548887333657749aa891d41410a6a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 762015570a1a9968b677843809dccd3e |
| SHA1 | 90a898c311420a65e6d1488d4a45bc02bd6ba7d3 |
| SHA256 | 19e003479e74f8d83124c6d06409ff42abba7c5f7794c33f387cee8c55b9fe07 |
| SHA512 | bff79c1e66cebb9087c8025d50043c7041beee5c7b17b12d8b9dc023701c1c6be4d3e3a53f88ad1ad8da60e50ebf2b1effbf8bd13ec6782521ba27402f19ce04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42a154ace60071fb835b4910a5c0dbe1 |
| SHA1 | bf5342fe0680a0b92e17402b2605dff3f5daa589 |
| SHA256 | 95d4dadb8295dc9940eee978693b7bd973e26ac717c61663c3ab9e8e663f5fae |
| SHA512 | 7d62db6008a6129df1ef047a8c40d99110b35464e1d4f6c77c1f42828819cbd60157a5b19925971b3f41efc0c313fb5bf5c0733792b125435c2086afc37d3210 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 993f0e0a15dcfb364908ceff3aa2f85c |
| SHA1 | 00bb7af6f66d3c84595f0b0cdf7b1f7ae32bb493 |
| SHA256 | d7420813e2216ee17ef6fd33f38d38b7a9b9c6bdfda6d1bdd42383ae1cec7e00 |
| SHA512 | 8094129dc5d75258da37b37e7456556e54e32285cc5d1268f0ccec4452a5a63e981a0b4212e2080fd6420e54142ff271f4016fa5dcead24b9ef8d47005766e38 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2a2999280b2037a1c3a8d6e545fb06b |
| SHA1 | f183141697a956d0776461882d156d1d2120c310 |
| SHA256 | 7f370d49f7c3545b8c2dc2d5a54e062535f78d8419abb819e49cd59657dc338a |
| SHA512 | 6956ebaaf1e001f9f077a8954a485458720ea4ba96703a9d88e237913fcfb3e52486a31af2464f5aba2a0ed50e678f9d0f2404f5498ec655c82c756dfbc3ccee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1bc96ed6020e3c09d35652f76dbb11c |
| SHA1 | 3b8966be783c37a110595439295196ba0ee77971 |
| SHA256 | f09e28b6f712c8f2672232d3266d55db7c2c5b5dfec4b502001b3b5c8abf87d0 |
| SHA512 | 6282929657c7a5dbb689cdc9896fbda03f67a5abe5f2d45b8b18c25203d303587545755bf2aaa6bc6ff163573570fb92cd7f1fff462a2707bef6172f4654e158 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/1576-0-0x00007FFD7BBD0000-0x00007FFD7BBE0000-memory.dmp
memory/1576-1-0x00007FFDBBBED000-0x00007FFDBBBEE000-memory.dmp
memory/1576-3-0x00007FFDBBB50000-0x00007FFDBBD45000-memory.dmp
memory/1576-2-0x00007FFDBBB50000-0x00007FFDBBD45000-memory.dmp
memory/1576-4-0x00007FFDBBB50000-0x00007FFDBBD45000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-16 22:33
Reported
2024-12-16 22:37
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/4840-0-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp
memory/4840-1-0x00007FF81CAED000-0x00007FF81CAEE000-memory.dmp
memory/4840-2-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp
memory/4840-3-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp
memory/4840-4-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp