Malware Analysis Report

2025-01-18 16:33

Sample ID 241216-2gnj2askaz
Target Orcus RAT.rar
SHA256 5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3
Tags
discovery execution rat orcus netwire
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3

Threat Level: Known bad

The file Orcus RAT.rar was found to be: Known bad.

Malicious Activity Summary

discovery execution rat orcus netwire

Netwire family

Orcus main payload

Orcus family

Orcurs Rat Executable

NetWire RAT payload

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: JavaScript

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 22:33

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 332519612fa82ee55239540f8de79c78
SHA1 dc10655b42a68bce1ce2606d155346f80f383937
SHA256 e4cba061d5b45247edc7d618033c0bd86730c797ceb7780cad74abc4c931f40e
SHA512 6d939f5b0640d179e8c3c80ebbbc2f39f5108fde7dfeaed0bfabdb5cbb68dbeaeadfe4d854ff7416d787e3f5221232df8dbab8f9118faedb3fe62ebde0b9f320

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win7-20241010-en

Max time kernel

122s

Max time network

131s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8d8ea0b4b28347fcd1cea5b48eaefb02
SHA1 9390fb856941e36c6aa75fcf23850a50011d30d3
SHA256 c07445933b500c6b35553e5986166ac94877112448b1fdf5e3e8e0f33e4924e1
SHA512 ff7b40d52ff0e3deda9c79e587393a8d78689b2f46db651acd35c9d8d689b519bda8375eea311c398f980ba8f9339ed71d26ab3fb86f068f4ba58d73b66f7c85

Analysis: behavioral32

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/184-1-0x00007FF825530000-0x00007FF825540000-memory.dmp

memory/184-0-0x00007FF86554D000-0x00007FF86554E000-memory.dmp

memory/184-3-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/184-2-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/184-4-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240729-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6B2CBE1-BBFD-11EF-9DFD-D67B43388B6B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000592d98dc56e0e749b91aca360afca4330000000002000000000010660000000100002000000093c66f61f13b5471c33e47492e5709b13f6e94fcff10d44d2a3494634c16a564000000000e800000000200002000000034462a71889aa432b64681205475bb4f301894e2cd57fd41302f7754a32cde59900000001b4dfff9b006d3fef533d9bb2980cac879781b8e278efa3f211e683a2d04243e0b6e361a873fef8e6af98fe17fefd9f0f77622ae1b60dec44cc7f2d7915662a5e34e9b3a6ff5722a8948f8ca2d43e401898ebfd66e265a3e5530eb7e25aa5046cb68ed0836cf13d29c2b5cdc3f158b4223948b8bb7cf105236730bdbb15016e2b9ff2a7890b73ffb61ec74911e5896c94000000034a143d2aaa06888f52b6ef233a57e0e2929209e5ab87dd4a5600aedd151334d50779aa70e86b35acdd44d61b59b0e690b89ab5837ecbe0ebfb9d7a99097e689 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000592d98dc56e0e749b91aca360afca4330000000002000000000010660000000100002000000068ff4967b30dfcc30fd4f71792bdca31184a63b5f15d666e61500c96ab090b8d000000000e8000000002000020000000983dce65968db4a8fce8a63e964c2b7fd2195f84cdc87e9ecb19cd40fe55008a20000000f900e969064dec06da7fbec397833bb427989586c48afb193bbda8d84edd52a240000000ee36b3d6847d6c3733978038c12516d3b27835b911b749d717f32c0606eab2a1240d995011198ded48d073b17911350f9f8804486ac73cdfb2eafaacbc9452cc C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550332" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a2a3bb0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2752 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2336 wrote to memory of 2752 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2336 wrote to memory of 2752 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2336 wrote to memory of 2752 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2752 wrote to memory of 2072 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 2072 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 2072 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 2072 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2072 wrote to memory of 2868 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2435.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar24B6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89b1b89acf220e67f6a8db673b77c968
SHA1 9ff73de823d9d237c36c2361bb8e20a9c99165db
SHA256 facd0562fdffb79eb0786ff49a699d0697e1c65c8b6c52f790729fdc48979d8f
SHA512 aa96159cbca73bc0502ef5b9c8991d396c6d194d72f5e3078b4c452ab27d00a290c67427ddb757e13a0997e713152223ca01afaca3db1e099ddb890f2385624e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c78bef41fb47e640140e90b3fecfc1e5
SHA1 1263a04e60703b06263bb618ef2c5e7a125bfca5
SHA256 164df2149a61448cfb234dd9aa6fecc80b4a730cbf097e946c83b6707ce06f60
SHA512 0f5853abd1240468300bcd852202fff151d011b7a7842bf8e4b8f8bbacd44978747aaa86dbe9af58352d6ff15746701866d8bea5a9fbbbcac33413a964dc2b12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26d2c7416f5a7df9f80e3720ea1cf741
SHA1 5b654069e5ae5bd6111a5188a4933e28f43f58c7
SHA256 1f7042b04f7076c1021d0f91b8e71dc827f21ebd44fadec7a2ad2a124230b137
SHA512 5b583675284edabe23917110eb5dbfab58c0426fa26afffbd878c47ac3e7c443c2ca09855098380dceef2f0387ca2342afbd8b41a1c4929d9f15286f8d390e6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2808dd989d52a85524a96784a3b2305a
SHA1 e7891cc27b3125ed9fdab20f6275a2b37e208cad
SHA256 00ccdb5bbb44d9fbc0f21e0648ccd3d07a5bdbed997b1935ae8a629a9e66dfb8
SHA512 b61f639e58b0d0a9f8d8b275929ca0ce4ee63c9a74492ba9eefe4c4611fbb70576afa809d16cf0cfb4741758a7bda0db3be0640c14bab864304f34fc7e2283f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b7e243d09f0f4bb04f28cdc4a7300ee
SHA1 8f6afc63ed68322188c6d6d911dfbb55891a6e09
SHA256 636eb4064b3d9313dbc9cf36a2f708fa7d6634beeecd0a385c9524a591c40ad2
SHA512 9eb4108c58c5fdd74b883e3f0a58e988a6082741cfe42f740d8b88dced5093e2057fdb63722e7ac3ac280bb63bdc2d8af4e3e4aae32301760f206b46515ea57c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 780f5749ab4f80276e6319371c539f3e
SHA1 1e3ffc57cd96d072d00923d3e6fd92c603a99099
SHA256 6a309c7f8a560c29c8720f431f30f2a8542b6b57e15add84b8082a5f1b5eb0ca
SHA512 21e185a6ce2c97916b9403b5b84a51ae67a2a8f4cdac0df68e5ce896c3a6d81cd4d08989eb9ce98308a49915e788885e9549eb67fb49fc3cdf556ec079a69caf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc147090818ae3fd69448a7ee06286bf
SHA1 3e013cb11cb3df689ab2b681310a9eb5d3ca1573
SHA256 653c627d15b430ddf0a16545fb5e5f068f26b69fee6bd95b4c22fc6ae2253636
SHA512 d545fc42d36e98ae40bb94df233bc5e7f2d3e23de94d7dd9a6197961390acdab6aea5ab5c22832def04ea4b5c95f518aa6ebcc4632f590ea50ea801992b44aec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1c7fd0538a62b7a4d64f5a763440e0c
SHA1 7e8fa335d200d00ab3cbf123431286ba17aa8486
SHA256 1eb0ce5a6cddad2b511719570913601627bd5124e425fdb32eb78890bda3f95d
SHA512 f69ff5c855b697d482acd46d9fbbf0be35819ab0817f317933f263e6520600c8d7199d48c31b8ca80646b87b99409ef4b84a434064349e5938572fc18e409048

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81d35cef3795ec3be3cd21bd300aad84
SHA1 53b0a683a6e4a3a5661d44ce7a66a98579edcefe
SHA256 c96ed97bd54f0e42a5f00f87ccaf190ea4fe487b04d30628eebd2df30c117c33
SHA512 2731489544c4fb6c6ea0954d167b035888642aced5595733d6f6a004fb7df434be60e0be6264fb5011cd7ffa1075504788097e8e5723bc92f46572b50413adbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 715ac3022107c3af6b951489cf9cb8b9
SHA1 6b3e653c953830cfef0ddfea979fe264bd8258f2
SHA256 5607f8137a76c587af0cd437450aa1f9295f380e2b06d6f612295726e0a1961d
SHA512 ba7ba160d856c3afab001c23caba5e4a37fe5f38e6aa0c229e324a86ba0177e12a5fd2027f61113c6ee4c4cab14434df39dd68482be3cecb98bf0621a32c54f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42184d4362ac24637407be7a19a2b7b3
SHA1 ab68b9e0242f41e56b81a3ff469fce00db07d1f4
SHA256 80ab469ef2ef829b26fb651670a2649e6508a3056a535f894613c0f783ce9af1
SHA512 9b9d65a595d18ac088e5fbc2ad794910deafa476186847a0cef93671d3231e76993f37b2cd0c0f89c960063649f1a7b345473bb8db40871a86a19b3c41075823

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09a0e0119b42cf709e8783616f2b0bea
SHA1 a07183ba82c6ee74f8259f0a0d3443fe25a7ffc7
SHA256 5ca15639b68c9475b01c0b9503ee66f7101bd20c6422b5f4f032a84e3d0c8e8a
SHA512 3ff70c636bd0e2e182a2d28abc88eb6e64e6fe0253335c3a65f970a49f4f5062c0e5d9516216828c607a6b5ba3d8be3b97cf4e774533d20f181046ee6e913d43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8397adc753808f5e99999320c17a0b16
SHA1 e536cc9067b22939c268ba45d7647e2962770a91
SHA256 038a4a4b35cfc9d2e366f8dac7a7a47042de5f2be22b9e7119fc1e0a80151c0d
SHA512 fed1735afc1a8d3b388917e315b04cea264ec155724acad0c85d8e174fbfcad34b32c256fd749b51bd0c7a39a1ea423409b7822654a00b7f4331d813a93160f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be2adb65aff13c884a2b4282736cb522
SHA1 e56c7bcb7d83ac7c2a45dd02b196b0ee6e6205bd
SHA256 59d2a6e79de9df4262138d3d706ec8378b2c2a2fb165e57a35bced00570396bd
SHA512 8963a69db2c8195badddb7a2c6167894bff4b87804db1d71763b1a7cec27468840ecad5a2d0f424e229380327c7fe21f73ff195f2553ca0727bf11a6775f0526

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 792dbf31f857159a6b2fd104bb562765
SHA1 93b301d4b018965414ddace0b8f5a079799d06b2
SHA256 46cd9d7b2cb410881647489db04b5c7692554895d839180f2994133fa5ac0809
SHA512 b417df6d22efd2275de77f339e9af6eb55e36cd6e47efe185593e7a844f8745c0154991da5cd2f3af2a55bf6b25dc451c6821009c29ea18f9a6151e195e930c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2e2464bcab110a65d3784b3e406bc0a
SHA1 7c73f63a99d5859eddded36e33d523a76a2a463e
SHA256 95a74d402e35f4fd359fd5e2f0b1c0650133e8f404df93891f4136b8cd149608
SHA512 12622e7abf20cf7179858f2155d14caa6f8ec2bca6132caa9bd19a364b15f4417e219c6185af559c5304e1d937ac1282ea7924a15bf746a5d9df4cd8cebb7af1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51ed30d35db2c8e6e5b8dddaf0d2f05d
SHA1 7f89fdfb902a013ea50f51057e40f4fe8a1c39c7
SHA256 3a21e4f346674d94b794bef14271221150bc3776b9b879f7d80c1746cb92ee09
SHA512 19508df0501413f7c96c3e33f9e1e8a4a3f1d41c0e092d38eed89e10a3948c276923dbb44bd2cbf94b1210011bd80614e2abb1d9455f33ed9cb202c1ec3f5fda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 487627bea83f75b5e63006577da1943b
SHA1 588849ae8787431ee261de83fcd037d13737aa95
SHA256 4f27b85ac9211a74f4df9bb271729907d790413585c3be6613d9e179940b2694
SHA512 9725f0c1aaefbd81ea140b3206f9c5de4d35e265a23105205a8ed76fe2355515fe23204b358305ca86fdb8349548d91f0c216ef473b0766498a7aa3cf283746e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cccc332bdc997dc8a151009e825f5631
SHA1 41ae16bf3eb20201111b7154f546bb91d44e0751
SHA256 2360477e371036ddcdb6791d922dc426d5665e282b1165cffc8d361ecf911ebd
SHA512 230c69be79ee05d896ac141fa836f169b577acdbaaf8b42a1e1f3612addfaa4afb808da24ed595dc9f9d24d3088c5369bba6c5d51bca6b020961313309a8856e

Analysis: behavioral28

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Newtonsoft.Json.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Newtonsoft.Json.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4528-0-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

memory/4528-1-0x00007FFF183CD000-0x00007FFF183CE000-memory.dmp

memory/4528-2-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

memory/4528-3-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\NLog.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\NLog.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win7-20241010-en

Max time kernel

103s

Max time network

20s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 24a6e58a1417f4ae09bdc2b59387fb6a
SHA1 ab704abd33fb770f2c60678073151582b9d36e86
SHA256 f8401b8425e0d066293f300c8d5c7ac8fab69efbc51bb9bc42ed119e358341cb
SHA512 e55c010f84c90d34e9fb1b09b27fbc13bb1d27a7820ab86555220b6bb5b2575677cbad22bf71dbc749c3a5fb47a7f0186ce4664e0df8e543af48efa43297fa91

Analysis: behavioral20

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.IconPacks.Material.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.IconPacks.Material.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/1000-0-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

memory/1000-1-0x00007FFA9FC8D000-0x00007FFA9FC8E000-memory.dmp

memory/1000-2-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/1000-3-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/1000-4-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\NLog.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\NLog.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

133s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550334" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8688A61-BBFD-11EF-B8EC-E699F793024F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000088e8189262d3a8459af95dc794a543df0000000002000000000010660000000100002000000039de8440b122d047e8d5137a52b85c29b03710421dee0219dae3f85a8367e9bd000000000e800000000200002000000064209aad60c951567e4d93ddca407ecf24d27b8ea5af32dade967d0d0390702b20000000380cb72cc49a40e4f618d71305434032da1bf1c1783a823e739a215a93173d3240000000b064f4d869209bdb4b832046c1f528f918c651bdda41b4fed24acad0faf5d4a4ebf1fd9298429661819b7ce632772c4d16cb3bd77c4675288f00483d40fd1493 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000088e8189262d3a8459af95dc794a543df0000000002000000000010660000000100002000000019501ee6157956d05b87f565e1f422399ccca2196277ac32a7f07917fd0a6fa6000000000e8000000002000020000000eb3252e5826e900238231d1569bab847380e1649477368fa3c9bc23a98678b1d900000003797f7e88af6374f1dbf0ee8851e8cafafaa4284fe796b4857fc2a602720aa9e469f55caa1654e999c29d5821fd40e678fa697b921bf39dd1237ac0e9e21d1b0429de1bd9eda10fd8371dca7b8102db25461bcde1addffbc7c56c4241f3d5fd3e4660eeb410929b588182ed4de172a260c678c86ca1fa58363374832b9b9f75fe3521e541eff3e550047bacc803131d540000000fa5cc72bc43d9e1703304596c6e4a5c8e74fe7c0e5de0a7c30461199ae72d510324095b37774e522e8abd13be5cf90a4e56253c58a1f607a2ad5d1a3a2d406e6 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302538bd0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2700 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 2700 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 2700 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 2700 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 2688 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2688 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2688 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2688 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab27A0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2810.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 066f0a3b22c911ad276c26c22a284483
SHA1 fedc8c8e99e0311f58df038c73eba80c92e282e2
SHA256 db7cefdf07a18aabd5876b55ec9c5e289b45181d79e80badd12d68a8d30f8935
SHA512 03040b436d0e06a9f7f4e5aa642ba40d7fecef50a735afb4cf950808ebcccdc621a84ded1bbcc6ad228d9dc0fbf25ad0f85d281de600ea5ed5bfb76f3a695b66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f17ef9f3453fb0e8769ef7746d4e7b5c
SHA1 2da7babea6a99ab365146b291a98ddff56a68c21
SHA256 3f2336d9f38b9fa1b3e8924a7c3979c0ba5e8350b999ef168d84bf32137d1a0b
SHA512 e8defe919fa190084a66957321a40caab63fcd01f8b90cdb7040a3ee269dfe4ac853ec7d97dd716be7fb4a1f2610af73223824482705c2860cbc6a87a1f45b65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a948a5756e3f1ea2c2780af8739946b
SHA1 aecb213fa2abbc224e275fd96d72a7fcd65a0208
SHA256 3acc020ab591f2dae99cb718b74bc647123a462be3d4488c9fa22403dc2bcd0a
SHA512 59de9a57f27e1b5bd46c49f8e9966501d9290ed2c6edd35afa1f05849650edac1f54bcdfb1bc835cfa3ad4fa338b31d4a40095b0f6e18fa84726af5409e4d641

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2449b1737f0e60b5bc84f0db95bc7f70
SHA1 c8ae363c2ecc76736fb717bd8e0d947b2378acb3
SHA256 90657376302372a517041d2b1a853f03fec0fe542a5dd64fa20b70721bce8284
SHA512 2adc15a173999c4a1df4cf2c29e5c7db833f4608377e40443f8ae567708ff00cbe175b5c55ed3c8fd8665105bb83833be29bbec54d110f79228e24b7c19beb79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 008b8be0b430b480f1f77298aee2913f
SHA1 c69e88df7ca295f7879441a10e753af76b99f185
SHA256 1083bce0c4c396f58a107d734dacd09cdfbb292f6d2be547d5c2e58fcb8ca8ef
SHA512 a3d70c446bd93b1b289573a39c2ab1b254325def33577e918173e80a77c2fab4c76673bbc8434f0c9683ae9b566fca096f17673f6edbcc6a65c2db224fdcd8bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d21a50b582e390ff210b5a23057ef34
SHA1 f674c92ba9262982d22a989048452221a49cf542
SHA256 cd7acd0e54a98c9e18348ea5784f0429f0dc704ad428a85dab95a090becd12ad
SHA512 5f7f269746d7c46b29bc41f0b9552f78a4d4864a628db18bf864fb762f68657f4f09fa318400d4dcdb8ca27ed20a609ccf4803c8f0f53ab5780edd4f3ce3b466

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d91e608153b662fabef6d7155f467645
SHA1 acc1eaa109d80d1df8a73a83e076a49d189c31dc
SHA256 10f8f0b226db2da60b27b999d3d5a2ee5ed606c21b0865d111b6a05c99bd41eb
SHA512 0b348f429e724d383a8e52a6e8a55aaaed04ad130961c608ab22a3c260461a3ed7afcf9ad52cef24b4e7521848a695b1fb10ab218ee1046f6ad3d2f4f0506bff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e90163754453b0ba4f7cc5096582c44
SHA1 4f239cfb93cd17cf290153b034deada9230ac568
SHA256 dcdfeec59ee7865c9360a32ba0ba1a657884479c0a11d51489f876a60c3aef0b
SHA512 2bea7e22e11e00b75aff1381b1f5f5a2a3a983368bca467e2f3dec0aeacb20a233ebeebde5bf52aa1a4f55ea89446f19d011addf93e234ea5b1d9f6cae8fa0e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 748091b43fab94a1838952794b8f09da
SHA1 31c2d17e0291ca2589bb0841a4a2b633d5bf0364
SHA256 d9f9a1ea654b76736ab27143cf639f715f393efadba3453263fc4d4fb3b153ce
SHA512 6f5228b0240902a06e42ea00a1869a94964116914b5609aebf162750e15b9beab32118dc68ace31d0cfaa06509612e038bcc53f910c20d348361744ecc52ddd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 410037028c171b677fa544b35ec0bc41
SHA1 6575b80ce81bf812d94c66e180e09ee9748c395a
SHA256 60cada19bee66e376e798b32fb46391878cc7f49783bc2900810e61dc66e4e17
SHA512 850cee9b1717e52410133ce4667d8450ddb6f7b782702c8e700d0f700ce24d795cdcca0269750069574f4b5c8ce7fcebdc385a55a0b0b6aa7bea873cd4bcbfb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b12afdd8005eedc5253f622b5921404e
SHA1 308313aba9ef34a6957266b8933026ec6b9f7efa
SHA256 864b96cc80d51ad2775f65a3e84bc2535c097ccca5123feade6b3b9170657ed2
SHA512 59320c99a147e97ccafcea98e964390faae6eed434fa81b79d7cc42ba84960b8a64593c74cf687f1b665fa48113356a36660ee5d0ae7186b2a4690fdad7b27d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d06af3f3c33ebcfdaa1e31f019f0826b
SHA1 c8ef01fd25ad4d68d667d47bf897ed91927e69e7
SHA256 b2d19b1c70c13ee351a46f51b1fd948370454ebd912f3350aadd539255ab1992
SHA512 64e06efda09e588214038ad9eb4ceb0caf50899969291241149ee5a9e10f39b3faf0757dd7fbdee793469a39796106fdbf41de0d2dad183dfe4cb612aa560e1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45a2b302877219e1c75e6f9a1140ef16
SHA1 7af0a731c2c1d48e6c38ec0479fc1a09e2961743
SHA256 2e00edc455b28dc903ce9fb7a79fef0e592217fcb4d26a11669958e641de1dc0
SHA512 6ad68e17ea172be04288c42f489ac6d12b258774a160dcd28f1ff2f498924ec6ac9abd18cb322139e84429bbd5df4f89b3d370d775695ee858c25fcf0821494a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8d2ecb14d93c6d1888149128d0f31e2
SHA1 77c2231e7dfe0b1f26dd04e7b310e2850073691d
SHA256 7c6282d50a00ea08b3fa30d09343b354059f02828d480696643dcf2668869f07
SHA512 afbf675e7ceb6ed4868efc059fec11d81adea7e3b926a313a5e04dd08e345c8567c56e1757f4649ec94e86839f63c8ce1855983eff3f77ce2f6f05bebde9c044

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd82cecacb8208fb8a8d25609d9fc1a8
SHA1 1d74b9f851bea089f84693692c810a68b024bdc1
SHA256 d0b29d6011b5d87976bdfd69e313a71ec553828dbd545ff3a384089208e76b4a
SHA512 a9d211f6c5024cb540070f3aa3f4c75058183a9b94ed83ab6ac4d6b287362124e6854ea94b21c63f8efc5936f380e3a5fa729782ea387d27bf5957a95a6d70b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6ce430eb52e7052e469a90b33131e5f
SHA1 9d975b890b32d2a3375e56e359466284f0641ec0
SHA256 add076d6fdf32bd33adcc96b143a30ab18ef43044eef3341460e1cd57e419f52
SHA512 80769724bde23180607dd1b28def6310e1b79288f5a4cd3962ee1734ef194842689de218a2a6b8f4229b06d8e64b333a45bd851433e160a3599fc4f0e3f08c4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 191ea15ee310ccc22441ad3f0c4f8d7b
SHA1 4c0ee9e87cafb52b4176906d246136f25cd3edc4
SHA256 b1b47328dbfab077f68d019bf190bcdad1dd31478d9627f941a62c7f47665061
SHA512 3f22a2477a4ded86c856276b7621043a68eed5c15663ea4a0bfa50eba009549a031d91f9f72edde75a9a0b79c66ea6002b3c23860e3ede0cc810ac4f646131bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 756a43bc1eb682a4e0a6e8f5ab334f56
SHA1 d40780f3b0e91ad0356f21abde2c554d15714281
SHA256 6cea9bb2fe0b4b1656d8a08328ffeb3903688264c3bd8749c0d728717b7722b0
SHA512 fdb8876b1dd826b2ce9cf6cd07c677082c3b61ed67689ca6652fa5260989682974eead8613e2e61e85b824732ad14d723b71ab1faaf2d4b71fd57060905f1286

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be53a46f567446f7d328e4b723cf0850
SHA1 7c0a514b68431a09b4b42d2f67acfa28d17a88b5
SHA256 ccdaf8ebb9a5d91b46b7c7b5bc8855041e8002efbf4a825bae352b21fadd82fe
SHA512 f0df10632734cecd870281fd09c2bfb2be57ec1eb51001050a2b7f576a7b53e6d183336a2754681645e00700605306483c50f1eb000bba94109b3f7abccca8b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a880154ad66499f560cfae0f8ddecf3a
SHA1 2afd181c671e3426371b1ee9faaf3d5c8013a34b
SHA256 9c06cf90d544f7dc32fcb808c043199a8da3f700ff48adb53176d59f10aec083
SHA512 b351f001b14256ed9108e9c95ce9abd6fa5651e9c28fd182b46b4b1cec65b05af304761bb35b1acfd36fc2ba0954fb72a2adf644fa9df02d2f0fb692c918a997

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.pdb"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2ff32433893d204fd2c828e5e52e7733
SHA1 fa22471b6a6d6bb1c79688d6c994ff9fe5081850
SHA256 e71605ce55eb568bb4b55c4afdf7c80c18b26933401bf9baf2209a81f3a7fbd3
SHA512 cd2d94b76de34ff5e32cbac148296bc64c923aceb9ccc00c67f04b78e611cce043f8692453327fa83e9d48cf843e2f3e31ace8d65884d3743556e799120ad8b4

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win7-20241010-en

Max time kernel

123s

Max time network

137s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c22abe0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000209d9a864c1c3a54130f58702e00cb35307045371a76ad2a121439ef016cd82c000000000e8000000002000020000000b943b34afcc42b801a879e0fc1503ec6b4facd9280e9a40a12fa769b0fb3c08f90000000395cb951c12b2a6b2e9bb44e0209b8ca77d74589b372098b5a2c9609aba129b3ceafae0682c50cf0076f1d05277fcb011872648f945326e7a638adf9428845c24d9ee6b6b364727372ef5a219cf6b2ca5318f1267c1099d326ed0b97d1281382f005ff499b0215151ad53f2eeb10430ef3a85db644b3c9fccf8f03dbf5d53987548f6382f5ae5dda52e2bd92ab66802b400000004e1e2c9506804cf55649ef31bd5100187c498da0fcfa5c885b656cd918dd4d24d7e27788c9c5704a5f6bbb52ea34ecafe072e805151ca3495e890b38c00756f6 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8F00211-BBFD-11EF-80AB-7A300BFEC721} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000f1d06d1f204acc6956681b97601f757ed02f8e51b3ad93e8ee42544dffbf6742000000000e8000000002000020000000633f002cbe8bb77822d1cb37d27b664a0c15a908995be2b65ee238ce29184264200000006b7b8c4400ee708b22eea78bc25b595be3eefc97e18face47e45627e21aca1bd4000000095ac3abd1872c2d4036b166a8b47ff95534931f0b03c1d87df3d6cd7c44c69edf5310ae2ae57d59eed38904b956815289220e1e079714ad410c4fd8fd411d63a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550336" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 832 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 832 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 832 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 832 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 832 wrote to memory of 1796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1796 wrote to memory of 2836 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1796 wrote to memory of 2836 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1796 wrote to memory of 2836 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1796 wrote to memory of 2836 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF3C4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF482.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93757ce3a60372ffa87d0727b3a9643f
SHA1 3d5dba222b2741198dd5d84800be798f2e6b0b33
SHA256 cb579f64924865863d66a63a0669ef30635581ff32113c6b242d9a11f5299900
SHA512 a8223228f498a0de0c16c19c64fd6e9cdf8a032d392e0f0c368fac7c7baa9df07fc267b83fb955b7dbf22d9d81667939d6d5944bb1f7f0024c2ff3d31cd3c443

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 605ed66c666841be218af9b3f4bd55a1
SHA1 d3f92d0aab289323384b5149113fae560dfc3701
SHA256 75faf211c2b143f58d188e1ad322bb86af63a4e656333e03d8e843daba1c6cef
SHA512 ff269dda2de7454088afab8d2012a847a81f2e9669123177e71032332164710f39af1bef1f64eff1ee666649913247092ead04890a374d58bcc3c89fff6e0a01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48db5bf4e23804512e148173a4c3af1f
SHA1 0465383ad7b29db9b732d95415a24e13abe68762
SHA256 32e15acac44beef66ec7514ccdb83f729b16606b366311d2ef8b1c788d320ea9
SHA512 1e428a0e097e9f5c93d0e0bc4c93b0699e1e6c2c227e240d63e704d70dd98fe3434dbf65988ed8aa60e4b0a88f2602f0aecb64d1f47dc81f0ef82ed2d98cf468

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6167384ebbc334a97b7ec2176fa0ca2e
SHA1 ab7ebe6c3d44c19126d644a296e809455473bf0a
SHA256 590962299d79d1ced8f1a99aa7ea556fc96235d6f9bf006bd084da9cb2235b5e
SHA512 1a8252eef24abe6ef9b217f0c00bc36b2f388c189aba2d7d61f43a6a2c320258b1455ae9db3ecafc060cc7087c487d1a34ad4fa9723ff83074828ac62e5c19b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c51b730b35420e22e126b460a1ac14d5
SHA1 87940b2079f3a1fcd11668187d5a67650ee5ebb3
SHA256 f8a152bc7e62cf7580137993287cf29fb9a96387605aa4d9642c2e8d003b3533
SHA512 22d88ae47bae531c6b3b259803d7c35318b3e6ba572d695aa7cedb13c736cde718ee173489e21da394083d7002d4558a52a20dc9a22f37180c89c93d2d24fc68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e11c23280df0328d4515ec15bf5dc50
SHA1 81aa7a59bd4bd94bece60f84d28b93c10384e63d
SHA256 fd7da94ee6f905d21058267930c61323c03d42e6d88accd86c6444f2c0ee50bf
SHA512 5c59310ef507dcabba8bd5708c7e4e2cde0934a5e44c65490f9ef4c74bdb90627cd6039e4fde1cc22019df85e309d329c2d64242daf2988d3e6eceb5ed059b71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d15c9420c04a866b86b5c7f7ca856b7
SHA1 d7d2c90d720a12fbebd1026c0c627e3b1ef930fb
SHA256 ea9d13a2c558d2b06ca0519f986108233aa94d43d348d524949cb47c61d447ad
SHA512 1b1f4325ac73eee04dfa5a93682ccaf30c93b74f4077caa955d31fdf07ee6f58ed19e6a721435a2ef5649b9c68d72c590353ee63e66a9c245457cb2f47608c2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6a92c20eee4a0fc041323193bfd9730
SHA1 11dce65d43e62b90bba53101e64371ccbd81ef20
SHA256 bba85d2fb6e57ece2bf735358e826b10685a2fb8eff7f2d095046c380d2ef42d
SHA512 ac65584f75c52f047f6c8e5f1e8cbf1a299ae47ba4deea10c670f1f4f4938a6d027ab4c9539f7134f4038e6c95dc8edef177678b7e6f02ecf7ec80d01292314f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2793cb21af2922e750da17d276126ac8
SHA1 cd6adb5d2c5b7fcb3956be8d118392480eaaf894
SHA256 55774cdde1d10e734fcb30426b6a523d3d2f18c94d3719ec52f09efdaf38a68b
SHA512 cf4d3baf73a7346c98ddfda3fed7cb2af8226ea46bca8bca672bb7938e0fc0f91e745febbf93c7c9571399093f47fe9becbd45bdbd2eb3473e6a6d66fb949f85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b42bc25d9ef1413e446df19cf289deb
SHA1 49b17c3d67355159af66a35be9b6d99bdcaa3edd
SHA256 975f717c76e336a6cd292fef8a4a362c6016169fd631ca38d1ca7d1132ce840d
SHA512 7f20fa4eba26d4f43d30e3d4baaa6f7aa0d1468d96f1a8b6bf8901b05a7ad65435eebd83641bdf09eea58466afe0e7462c38af4e57fe8a7eaf1088ba409a30c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1621a648589f2c73373595af872af4d9
SHA1 8ed406867b3ae010dc2f15f0d44c61ff7e2589d0
SHA256 f64bd5ebd774f0baabeb31f49b619aab7dd69533ec544aaaab21be92ec8b9aaa
SHA512 f692c3494cd30afe029961d069e990bba694df62fcd85e27517ea06e469dcdffeaffd4389d928d03f7c935966105f880c4c186f205e2fa6f214b8d6bf1f46505

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f708e97fabbc885496dffcaf369c69c
SHA1 8838f86f9bf22eb3267f00dc95fbab457061a27d
SHA256 97e101427705cc40ae8988984a6ae01b2729ce817d0919cc88f70d711a279116
SHA512 8b53e130cb640ada739d74b0c6a9acbb5d45e86bc99d68f87ed428ce8d9d8f5428ad00fefa30a20a361322185dc97dfbcb63e297122436475a7bc019fda106a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20c5a3f9b7621bd23ce9479d03081063
SHA1 d333839fcb149c910fb21994894dd3f327dfa787
SHA256 d3165ed664d2c092c4f560bd63c4b71b273d6c03d4260dfde7a4e9f500566e52
SHA512 7c1cd3a8dd823983d39eac415efbd0af45f582bc063aea05a67f7edbb646b0814e2a4b41621964dee10fae336d1650564710bd3dd5745db98fe354f15d4fcbbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65b66c7927769d7c2c4777b7342254e3
SHA1 c41ba0e2ae736f697b5d492672b27e3aab99bf64
SHA256 c059cf767ff5f9516f0be2cf0344e8ee23952a3f791712d1f67c7f1da9262952
SHA512 76882599f554758a915b8d11e008774a79baacf6aed55c09d174d2ef638dd2eedd25e869e14ad94fc7d9ceb2c338b9ad44da995eaec79ebc95c40e3b2df21881

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38efe6ba93631aff1eeec6703c4b3123
SHA1 824523a2d9cc1e940cc0a0c9cec47f2b91b5b2e7
SHA256 cab11103d63e0a208f90033fed96be5b98b9e4a3cf21de3653ec45cce16b224b
SHA512 c40d0d1ef8981e52f5d709416e0599aa2008a334074476b969583e3000c8d65eb57e807210bf331086d509c6ce6677928e7d411acc549b69f18cfcf165fac5f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c223dc774ebc1619fa7992febe8f99c
SHA1 c46d6aed4731afa68ea581a5d5b582f675f561f6
SHA256 ad7f7caeb00df8d5fc8e4c1dc5776513de0f7527bb8e4fc1c95fea7b6e7fe75d
SHA512 2bd98df3163f4c3aa36063f412a411c1f04cc96ce56a11ba5ae5bf924e5feb43b4f8c01ea7485802fe798c9e09b6713c02d63f96478a89126807f7adbc1ebbbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 676149c83b2afec6886ef8dfc32a2b0d
SHA1 7f749e9f5b5a639c56fe7e5b6b68c534f0e71bd9
SHA256 d936790d1c38d0da704c87ac1954a8e4e6f386982b5b13ef6e50037c9c30b8b5
SHA512 185236576f06cf69d1a2b102c2dd21ba34c4b9448695e87d8509895c43f234e69ee7f8da1eb1dbcea3e0776efe5369eb5465747a7853551e1191dce7c0e375e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf56379b123dec9913717525442759b1
SHA1 4130fc215ed1a5bdb035eff5641ae313abfb8d56
SHA256 76fa7b1776513aea08c8021658583df87fdfec718d0e594ccbb1bb1006d6a5de
SHA512 530f4fb43a387bdf71b4e891337d4d8ded224c47c55f937dd1e8a6fb9f0e4bd391ed5c1ff75d8de7a33c993b457e59a549feb42591bc3962ad787931735d6ca9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 602f98d64569c76d0078f7a9c35f8373
SHA1 2ff06f40bbd4a74fdfa134da04af5ae3f113f3d8
SHA256 b554cd924458d507af9fb1e23b2980cfa77028a6aaf387fe1851d66c635b47c6
SHA512 d3d20b7d92b0c653443c0977c858e611a66399abc96fd11504f52c6c9e86b74d23221e1ad32f403d13880d7b8aaee74ff414c07c1f6096193b43beeef9fbbe3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14b04165c02448d0e555048eac5ceac4
SHA1 cbdef1c0d66f45563576bf8572a22d0b862afb6d
SHA256 d269f4efee9b2e3eb66b6bb62c25dd1ab6cbdf0298ce3f6fa5821f3823971756
SHA512 4b210e524ac833a340189651a89061f556a65adb76cba4521428490a06dd5a46c1ccd95dcb82ea6cf222579bad2d35d957ff606bd47764055fcfa23fcd3a83e1

Analysis: behavioral18

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\ICSharpCode.AvalonEdit.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\ICSharpCode.AvalonEdit.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4572-0-0x00007FFE4BCB0000-0x00007FFE4BCC0000-memory.dmp

memory/4572-1-0x00007FFE8BCCD000-0x00007FFE8BCCE000-memory.dmp

memory/4572-2-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

memory/4572-3-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

memory/4572-4-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

136s

Max time network

139s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.IconPacks.Material.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7C8A8B1-BBFD-11EF-BE65-4E0B11BE40FD} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608d55bc0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fede7374cdfcd4db0ba3fdd2eadbc3400000000020000000000106600000001000020000000019ba2b86518092826b3aeacc0fce1f6c3a63b5c4ad59dcd1661064833d2cf30000000000e8000000002000020000000b1000bce62cc9f395832160995f87b60c90a89d59b6f66e1f0fc102a42595e0320000000b8ea8052511403975c2e2510ae6618e4dac819ae8d526fe8ca48fa3215d160b240000000de62847ccdebcd4c04229a683edaaf58e4717b2ac65dc73ed31129c84e20672004844f8e4304c1bcb3972d8a942e0cb5d1ff313e8c4d5f47748319d815241744 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fede7374cdfcd4db0ba3fdd2eadbc340000000002000000000010660000000100002000000086356ea3098d1d2dec8eed78ec2a323a5a837c07a145951141f15985048e62d1000000000e80000000020000200000001a74d489aa4f175c046e0e662190d9ae55f11ef300a1e67bd74686862acb54f590000000af735ebc16a8eba62dd301160f1f7daf22aa6a07682156e1fc0f38bfcf748166478c9b95de2cb08d2065e0b4c15e59a65d1ed3d99dbe2d0947d7b0bc540a14ff41940b211652b2fc24005fede9e8a982aa5b918ac96fd88ce1bf3f4b5ae3e787f5bb473000ae9a33b85eaa7d3a4b947e21254d7e5302552b9ef43151ef5fe47cc2a5455eef44a4040eff887afc1f861440000000bbc06d71cc66a55c9c353281a0debe2fefa77742a4e0ea54f13e7539b334736e5405bafcd72e6bbcad5bf6d0b228ab884da5efb5689dcd05ddf7c3cde116932f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550337" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2140 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2724 wrote to memory of 2140 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2724 wrote to memory of 2140 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2724 wrote to memory of 2140 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2140 wrote to memory of 2908 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 2908 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 2908 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 2908 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.IconPacks.Material.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8421.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8491.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efc6026c7058fe185555f7f8d5d6e71f
SHA1 4329333ea08fdc99e4100b34253d1033da50590d
SHA256 0238bb95be6122afbfe757cff73c1a808b6410a9ad6a907555ce64d342254565
SHA512 7053403a0bff349b1cca2540a23fae5497679946aaa56157fde5d6d227acba6b6646350b4157ac247b86b833c21072a904fcd52850957af65282d4761221ff63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7714e5f3870373a52b22c7f70abc0f74
SHA1 914ee0aea38095a83450918f0eb87d869860fede
SHA256 bf44e5caec510f9cfabbc860b10f330e55c15601e367b70de0b2a8c4e2dab12d
SHA512 19002cf5aaa5280e84df26317a010f8ed2a13a13062496058b232068b84b9c5805d40fa57b7603e497d692affac93d926c070ff69a3f4dd624f37ebac937f268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f53e86a03786299538970dcda25d73c
SHA1 e4ac2472f4cb8e42fb8d9aca2b29b8988646787a
SHA256 779c22e41ec03b127c4b66970503302857c545d56936512233a3ce4b2dc7c78d
SHA512 1e3287d74ef34a848b492498787d749f6339c0a7b640b1b7bdcbb641b253320725b0ebfe3cfb6f1febadf76d1d67dfaf313a72fcf52fab0a7db17e905126f95e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 140fe38affa2600955e8ca42a0a36221
SHA1 3d1aa1b8b1dd99a22c752c5acac04aa2c7d563d2
SHA256 0224f381676cb96b8c671a782bcd97f4657e421879996f7547a7277bcb670cb2
SHA512 15636ed4dacfff7c66fef20d36daef9f21c5c5acc4c80d701aecca2b6edbb5d3e1af937ed824c8ce1e40b0bf61cd69871b12e2ae28b7fcefde66007c8de80617

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e2fd28f5e06f4e8cfabbd18ec4fc62b
SHA1 b5d341a46503f2cda3b2d90d27136a0451c235e2
SHA256 aacd5b130296db2f5ea513f3a7b5895bc41008e7e38300ae1a7b919f98e00b71
SHA512 391115eaa9a82dafee798547bd12d1155a6d6cbe7f9d590b0831d1ef16b2e9b122870c911ca89b713247062a42d40c25b076c498086bd708a65e8a11bef446fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d221d19ed15f550e0d9b0042416fe86a
SHA1 750319a1d38f421068b3a481957cde9e53ad5b0a
SHA256 3cbfae86ce00398e13d9f67079263a9aad64cf0c9b19045b3758cb16055b2e41
SHA512 5564f3107e7b3bd7c962f746b3b4935efbfaaeef359b10e959f65338ac63b8c4fdda7f790e221af8bcbf4f038ed4c47b74632b7d2e0a0903149e06125e32a5f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22f5d2a5a01688a82923229278ffc7a3
SHA1 e50e6866dff56e5d3f847fc2ac4d556f2386c105
SHA256 4badac3494ea5019583c579af8b07b86fef7919f2596975dec9f394de1c7b6fe
SHA512 a0c04b25adc4a72519a1847e2ceed9b8153c403b985e491687ca33f315022ae59966d88db4cb3463667912be51ed84e02e97d2e479b40ef549b20dc5699310ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f742a63369fe8008b78ab1522996751
SHA1 171ce83013e88a3a6152911e7e3f1b8378b1efb8
SHA256 bf3929d2197da15da99c7faf1d66760247eda6191492858f92c3fa7e4267e09f
SHA512 7de65f77b0eb6eeec62e79e0bc865ad441a0432cdd48b9969c4eb2962c62eeebf92ba174aecce03ff19faeef249671cfe3ca7ca35f45844789103669841a9999

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fed95da07b098fb5ce1c77aff1bfdb2
SHA1 b5e3d4d8a04f1329c00a26e9b2623c92b4884e0a
SHA256 d659366eaf2bca07d14bcf47ba8cdf9cced8d94dbd00620f08c400bc5deba331
SHA512 42f12c862de488c7b0f8b9bf33afe9844313ff942f85af4bfffc3bb17a77b247d0eea13ce13316430f4c264aec6cbbf31741e28fe4f115de6eab108cbe1e429a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b1d3aba8efd506f158566508f00d448
SHA1 4a7f7dcede48da66790243d49d9bdeb18edac404
SHA256 182e0ab96c39bbe44adabb3be2121bf9583e2a75cd16b9c5ae1baf0a694b2545
SHA512 3e2a74fee6f9b2e0a407b514d3c650d99a5d9c4133d93c6b543a18a68c9ccaddd795e34b5ce92601e7cbc2d635ad730ed61dd51702770a55183defc8db05ae62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98df85be6f2229d0d49b8611a64643b3
SHA1 04e32dea93ae0f436e45e7e8fdd825c56f3858f0
SHA256 82b59c1e1919b1ed22e654af5058417f7fb0af298a76a63c83e43584e9c20f89
SHA512 da9adddcbe239365e778c7dd20b90979f2fc44ed6bbf3cc9ab5aa1aa120903367a7ec4ce0007235169aaeac5420a1a7d75a15266e332ec3b0bf3a534653c5ba6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f9781470920e7aab104d694c929cd4b
SHA1 1db12e4d1a55b03af36c68a2178e3e8797341b94
SHA256 272e11aace28a2f651bd1c778a98efeec6eeffcbcf2fdb75847020bf5b3454ff
SHA512 d01ca092ec31744d4e6d6a556d4f832a15534ba724ce96778b54653013e78f75bb93663a4afdc987e27975e416cc5ffdd249bcb41d775586b1a88f02544e14c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3159138934340e4da9faf9498e4ad9c2
SHA1 890841d6cbc890358eafe970aba29a565a0d9449
SHA256 c2c0fe048a5f107869e5ae33d8dbba396b3bb6dfdf77c99710d9bd060caf34a9
SHA512 1e9e6da4557b6c67288035c30a5f1378c68f2c93daf8f3c2b7086320046fab763c7fae76c30c479e37858c8a3aa89789590d09a4dd67d07dacb29664e57f6bbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c71c5a279bb59c12745b1a16c2300b8
SHA1 ee08478d404fd242b33e4a0613859cfd6dd7bfc2
SHA256 54f2d36ea5eed612993ddf6f4a6332c8f5f9ea52b9e063bae69b7281dbb56182
SHA512 3dba68b2020fd7b009ce5204066a00a0292d4d197bdae4d78c487261e55747f0463b99a4106f5c46b1219dbbc0c3ce691d01866bbece9483b53057b246af14d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b932e18f7bb2f3f09e45c6012e6c781d
SHA1 b93881ce1d37e6aec188a640935700df53601b1c
SHA256 7394070fcf633a7c350adc30a736b809c48544c9dad21f9fce6a5ed33d9b2ef8
SHA512 75755a6a6e4d521f1e92b8647a17814df49a4e7177e80124bc785c90d3778d5eefe05803f05c1de1fb0f75cf3535f98f8911f4a68342739e07f7ac6b80cf6176

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cb4d43edcc47b2d0834423d0f0ee1e3
SHA1 1a574c6456764f424122305765273b018a664cd6
SHA256 172ded38397cb9d0e3d5c52f1fd6a9d5c89d3caa8fb5c21041e6adb9eedbcd31
SHA512 6ad1b4699b1893579ee0f81ac2a7a9da75649a373271cbef07ce76ce9276f3d32ed4d79afa0e220b956dfc46861b651f7055397b26a6d8381fe4f62dd9154da4

Analysis: behavioral30

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Ookii.Dialogs.Wpf.pdb

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.pdb

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Newtonsoft.Json.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102699bc0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7BFFDF1-BBFD-11EF-81B8-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fd49a9bbc5d79499e1c135ed0483024000000000200000000001066000000010000200000007ea8dd386aebcf7954b1584fd3a9a108744e0e7cc16a944210fe3de09353830c000000000e800000000200002000000053d988b44baa19a18ffa722d5ddad0709a9bb0edcd97dcdbc8a3527bba2c4ca3200000007d575f1e4712f6a97813ee4bae2364e08da7bb2f6c7061cc30fc6ffa3883c4cf40000000fd1325d20e04108b549eeb33aa6a74b8b0dd041a652904be2ef6f2490092439578bb4afe168786cde6e82b7299b3228a0a19ac8693a2ede786e67aeab8f0f806 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fd49a9bbc5d79499e1c135ed0483024000000000200000000001066000000010000200000000339c2ed61f31f5a1bca78ee0045e238a7d67640dc52ee6a792172407b76a313000000000e80000000020000200000001195b03d18329e6fd0f40397e9114f076d79d51e92247c38f5e56b1e2054d0239000000063c91c0972cb9cbce7f54a222e2f7ed3eee47c3e8132e01bd7a495e2ec458f27fd4d5a165fc7619c122c85ca95f0ba44bea1799a7fd2394a65d56cc782dd5abeee5ab91579ca6dc58aefdda5bc0f49166af1639d444b86adad856fceb3bf7e96c92fce04d8fbbca06ecab9f3bfdb6b5300498e0b2168c167123d74b67199415adfe811a6e246340c71ba6514675164974000000005131b8c7d100ddf138496680a0bac6eac386093ebfd5a2fad55bf9d7afbac310814507fceb9aaf29292e7914fd7cca22c1c18c7479bdc236f4b9adac8a77c90 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550334" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2248 wrote to memory of 1128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2248 wrote to memory of 1128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2248 wrote to memory of 1128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1128 wrote to memory of 2368 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1128 wrote to memory of 2368 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1128 wrote to memory of 2368 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1128 wrote to memory of 2368 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2108 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2108 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2108 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2108 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Newtonsoft.Json.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabC9B6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCA28.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eba457ac5cdf36a9ab7791991b86b063
SHA1 aa4ba305e5d401251e840481c96915f80ec6d7e2
SHA256 23897661ddc0d9f15a31a64058f3f205fc1619bbe36c5afaa1b1ea01b8ab9fbf
SHA512 bc9730f50b77dea631b253ff82fd5c410711333f9995045432e92c72e137c5308579335f5a93f591142855f84ff9232faf8ffde8b8096d9e50b3286b1267dfc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c81881e1e2c81591372d9aa0ee180458
SHA1 df10f78083104e4ae87a9c456de6af3ff258cd7c
SHA256 29e33f0dbce99266920a94db4033a441b85a7308f1bfee5fd998658cbba227d0
SHA512 b4aa26694876144e37241aaa96d61a775a50d5cc2f805a338fcd5c8ee7ab6a62c00d6b4aab3a26a217d833108c170f8f456d8b15d504637ec9140c0b4e30698a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10bb15cfbf2c18e9d3278fa6bb12a9a5
SHA1 45edcf32997de58a11fb117d221eea8fa54f6404
SHA256 08df1bcbc26588c777bdd26692346f1c47fba2cefe0b513c8c5c77368ea72e8e
SHA512 32d34ab3a01285b0d4e39021de92fa77d70ca3a955a655886fcf6d8816b13132e6cd43f1436de42292af6d5d260044f3f8bb317d5a7c667ef788bcf60f111981

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99643b633df9ea962b0f1302c9f4adcd
SHA1 9b199014058cf0eecf3697f67c293f5619657161
SHA256 1a3751652614baaa135a3d33a7536941be1f3463dd2e65a36de90cabb212f67b
SHA512 b0624b527b3359d5620d331a01a2072bb619f2efc743ce879072a991a1c8a60640a4ef6dffb4b97a3c6bc72b1a05edc610c7d39b078d54f7f71d24a5fd0a068f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88713cbfb25fb7159d822542c999ff83
SHA1 79e3e35ff40f10544d0d500b297c77e15dbfe5ff
SHA256 1ec11c47c9eafaf625ecb60c45963dead2800e6415a8a35157098cd684e086fb
SHA512 e1b8e960f083c088ef9c6e9e6cfe1f999870a346f3ba57b30d49bafec907b2d262d885c82947d355d65996587f869b9a23b8e4dfa14217f95ed83c0e6696d2f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dff0370a3682bcb13c86fa96404ee16b
SHA1 a585d7842dbf971131e88df014b473296b96026f
SHA256 812e04d356294096165fbc1c2ef4db85adc08e8dcc7e4c65133ae6ebf7396471
SHA512 8837b5c40e9068d0ef1f625a8264917fceb5889af12170ef0e9955c8d1b9c9aeee2404757af60a7252881d1be58e6e9755123ac329c4e0653b9ef6e11a71b6ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffb7e28e72dac0b0901d44fee98a90a6
SHA1 501efac033f8bbc9a009994b098cef40eecf9f79
SHA256 53d18d881ae240492e70bffb3b683af1555200b4e8a991ff1150cdd460b863a7
SHA512 0ff4cc1b9d4fe4a91d876b1c99b5edf68127ab9d2309c69013844483560f5fd3e2ed414b06faaf1db0b8c2dfa4623357017a5e66487e5c40e84af97d6df00c3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c47264b9f321eec93defc4603cbd3b3
SHA1 b72dc417a98115dcf3ea51a24580c6959fe349cd
SHA256 b228fd1c63c852823b10796675d274a133cb48908bc57d21762dc28552fcc069
SHA512 b28278d448f8264169d29baa75aeeea5ae491e6f984635423591d83a03f8765b8180b355d3fd0accb231b01c474af8bcd5b4c26d263ad5fdee243bd9f329c7aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f9fce64390518bba9398f414a014f6a
SHA1 8f32a6067c656e9d0fe4fd3e877b4a809bc92b27
SHA256 384aca92ef97b735b65b4bd30f0545e905c98479f0869676b00fe6784a6ab2ff
SHA512 dc7ca72d71554f785d7d8b2220678df5add5008ac102d859ab929a9bbc72a32ec27492191af66b98997a2aaa4383e8bf635d739d66c75c6e987c973cc0c31e19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4f95d5b3b39f79311bca2a6523330f3
SHA1 a5cbf15228229768a9f425d35095a52bc0b404c9
SHA256 7356668cfb543934e1c270cc1762ac7f4ad3ecd5754851b85ba491d3ba5e365b
SHA512 adbb21dd908787f27c0ff87eec7fba6b23b7539fd57db1d886fd8babe98755edab098b08e11d5633a8be06944eab498e8e2c84e3dc901cae53c77c0700619050

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d69ffa29d4d749a60631bf6b3101f19
SHA1 c9dd706cc516c9c4447962db7f3327a8b93dfa75
SHA256 8f7ffdfca6451b653ec18e21ceb91e83ab3b21477c1458e4e32aeeb1d398ba16
SHA512 255ec25f4a6547d860c4c68078e8acad13d56bbc3f8b257bf4b1c872097ae86459ba3d1ae5ca2551242a474866209d01163bd4ca07a993d909a74242b73f8822

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acaf5a4dc2b397bc31b5bb4d8b0d5fd2
SHA1 fa3608c7aa8514acc94e9e8bdeb226c3c0cab0ed
SHA256 354f2889fcd689db8a3c570b48737e8d18a238a8caf5a36217b0c366f3d4901e
SHA512 a8229736431fe27ba8b1580f45658ba542c06eb309ed2b5459f3ddf2c8f6db962f92dce15576a59b44401ebac8d930b03dfb6435459c5e284378c73bd8ca8efe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 160698c4633ceb46f04dd861b30e6622
SHA1 8e1680f0e97d1f671e517fa2a8aa7f9ffcb032f6
SHA256 74a5a543760b6c867943e23a943dc21c61f228e8c9a4b57b199fb4f94aa733b5
SHA512 dd7fe0822da3e41b28bdf052dcac38cfacab7c71142c85b0204b41eadf0c3a76986b3d026d5fc45b86644198e649324a8ba1761233fbea9cc773e7ea3054d43b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 121072f71aeb95013164fbc0492b8611
SHA1 4b71cfb1a87eac45e2fd492f24f834ab4141231d
SHA256 2ba80aca62e42238ff82191221fe6131ed94e066f9afd16c3dbb5cd19b2bcbc0
SHA512 0dc57f81b2240d63adcd9221f8f31b84141d152a0374410bf106bb42c7657dbd0b7e937b5e02759b3e1839ee02a80a1ae62efcd406794bfec92ffefa8c457af7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96b8a20da04ba3bc8cd4fce3a9b90715
SHA1 ed3ef5b2839de612d0786711d24d57760ee4283d
SHA256 1ebe73e802f3e8cde942b70c6790f9a13d7432a7da281e04e3b08cd804f5336f
SHA512 68a787d2a1b316bf15796413ae439d69d262aa75e6c31e63a424d868bf2569f76e186216d8adb5d4b1807105714b89c35d21c954b24adbf3d32c47c4a9199aa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fb85c3d8c9a0fa96216b622a0aa0788
SHA1 f2a4d39f2d9078acebbbd1d6f9942bfa847593a9
SHA256 72ceee26aa61b88393dc4b525c0beb1a605936a18aa2d4d3ae04bfb5dc8abc6d
SHA512 3ca29fc232c9e163c1467fcfefb76abc8ba4be429e89a51e50015c51f71ac7fd007a6a7ddadd579c60f198634bf7ec06831ded0ee1464ddae98d59562068ce3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 155c56b538828c4a223b7ce5091939f0
SHA1 c8b51c6f1aa3b1f5f53d41e9b7f4717b442e21a2
SHA256 bac3c943a23c2baa61171b9b7ae242723eb1030ee975fafd8e563da6828f1337
SHA512 3b651961661cf4750d8cef7eb68f19e2183cdf59a0682f99a47e9ce9cf776d40a9bbf6a7105ee3c2649d4fd0898de69e1c07e16d688269bf054e932b6200bd15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cba77e24eec3ba99fb06303e1c7732df
SHA1 fe69c0595479db185aa89201b6fcfd8c2acc9685
SHA256 2baacf758093b00242619b22d2c199f2c17e20228ea7b561e063cf1e53402d74
SHA512 a4382f431ff29806f81f5a62996d305e9da93febd9f55ede91ea161a2f88ea34f0a3a7d9aaf2b434feae33253bcbbacecdf7bc74521c7bfdfb4cbba317ce7704

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f25ca4c9549fb8ac688386e30b64de08
SHA1 e98c77a49534d55f9b695867f0616ae805c181c4
SHA256 54c551e18b960367545a797c1d4d6c17c175a36c8f1c9285a49a37e87b78327a
SHA512 8e677f53af0f03980306b4b2c96cc46cdb00415ef48297bda52adb4b6318589118a37acf11f7e92164fbe4ecb841b4b05031d216ea38c4714b5498f885499561

Analysis: behavioral24

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Threading.Tasks.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Threading.Tasks.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4804-1-0x00007FFD73E6D000-0x00007FFD73E6E000-memory.dmp

memory/4804-0-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

memory/4804-2-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp

memory/4804-3-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

98s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.pdb

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

118s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550332" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b94a6f409177e0479b5a661aa7b0fca300000000020000000000106600000001000020000000a3c9b4c9e47550146a271a3228f0795ccb1c37ee86dadbac62ce1484618c42b5000000000e80000000020000200000000306c02f5c8281b4bf5b9a3ddc0acf576d321a397d5e1343f580c32b4c37f92f900000005580645df7878d4a535939c326e507207d936b2452a854d2010563cb1053e2bb73cc77ff6be5f03bb4edd58973370cc307a64738eef202ead860e4f262e69a359d0838f770ed5f4b5f48b6a2b269c46f396278796deb2c290662849561002ccaf953c60b973a19fca2d4a1c93b5802f7aa80a7d612aa09e42863ccbaa8592e641dda304951fb953b6b5e1fd2b7d04764400000008aad6003d32701d11a269a1c59e195c7ad3080c6d5ef828e7e3836f4be17163f1a68442cc067064b19569e662eb723eaad0705830d0762cafe8370bb81cb6345 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ed3ebb0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E69F0561-BBFD-11EF-9527-EAF82BEC9AF0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b94a6f409177e0479b5a661aa7b0fca300000000020000000000106600000001000020000000cff202ced7f43c2f8aa1a608b4dc7894aca2c1f01d465200ca09a0161dd6aef0000000000e800000000200002000000073a39f0b43c0276fb9fd00bba6aaa992aeff3e228c2cf03596c2c256d477faa2200000002da2d152314c11d157ba53f9b0c5f188f40652df3c8914a2a208aa24f781a9404000000065090474022b572ec3b2785a003508b7d9c33a46e74be154ac2cb5394c886772c934f8caea4ab1c45a7ac50446aa442124b5125a301b024c30ac0dcfc84601b1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2788 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2788 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2788 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2788 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2788 wrote to memory of 2744 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2744 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2744 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2744 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2744 wrote to memory of 1604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2744 wrote to memory of 1604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2744 wrote to memory of 1604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2744 wrote to memory of 1604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab18B2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1960.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e0d459549ebfb06f96b5035bc5b2b97
SHA1 4c14ed715fccfa9e122bec07b71ee7ca8c7f4296
SHA256 4be76bdb157eb00c2c6e2057af14856b61a5ac4bc96e4ec354a30c1c9aafeec2
SHA512 0a6f884bd36a3a29742239072bfa861327473ee567f615b03ea8246043cf9e6b25eff8be32b8d04a8adf2af31ea9ac2601b6effd553f56c1f000a108acbcc3d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86111f23ecfc0d6e037d2f485e976ceb
SHA1 43b261a4eb796fbcde1181b74cf12608d212a48e
SHA256 2b8022cbb45e9591b55862850a897e0d5a186dc42f3f486fa0aebc3260e27be6
SHA512 565a15f3328536a886a56ec39eb700e48baf41d123778bcfce15267818c109dc0833f88b9810ce106ccf72f187d774fb010eab0f01178eb91650cb9facd7a947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61696e909ec0fc6086572d4373348e0f
SHA1 db9a0bf9eab5e75cb9d294012b1f61b1eab020a6
SHA256 0b1344ad65dfc71c1bed54b5eb74c091661aa485032479f2f61a3d2c3fdd75e0
SHA512 612efc32c75fbd24ab45249de6a5abd15c9dffea55d5fdcb86e5d5b1477c6d787037170d93e10f40bc27c32e111695a3247ba2328d5beffa2f23be7893bdabf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbb7d2483c23984de7edc6395b7f2431
SHA1 27e8836ada29afc280b8aaba4cfb59f0b213bec0
SHA256 be897ca6749d0b75b381b07995b6a9b7cf7c44977a6c342b832e4bd9025d4676
SHA512 42f3e228120bfa84adbf44b342b65f24166cd6f09acdcd36598737a1026de4de8e155737f14761260a332e6284478ef6711739c530b59b0a79ebd193f5ced676

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46dcc9a18dcb63c9a0b32b914651ed68
SHA1 7d9188ac24543d3465fcdedf4ae6dc45b0bd0bc1
SHA256 bc7564eee4d6f5d23630788c0b4d26ca46f8abae408a7af67d7bfe061a3a0fec
SHA512 443067c8d0b8992d293d7579773e33424ab4d2ade5df617680f651381911c9383267e275a83bf324b94a8a88ee7093e7eee57b952bfa9e19a975c562d86b174b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe11d42e597b0e5c9458620f0d5a4221
SHA1 223c7bcaf040cea317514f44944b02eb5c98751c
SHA256 04a96a52729a72eda1897e9c0d0e44492083b3b02a1c3b594e3afec00cc6433e
SHA512 b699195008594aa5158b34d1f60547e1995e915d50c20ad355e8e8b2f5cbb43cd59ec8fe2e42a081f7d5271570225c03852edc2709fc1ee05dc4963f4d3d35fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 221823bae187469d1e931206afef700a
SHA1 930260b834c1d556458cfba89d8f1cdcc0b6d623
SHA256 5dc4822022bcd6ab9e074f7d1610c15743c2b28218123f5943913553aac74c8e
SHA512 f6dce4ed998413b2e358e415ece6f0ac7762c7cc79a09b47e7c8afa88bd28353192e2f97e5205f6e5434e83500aa109f9418c7619fc9e80a9450546ac81842af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0518dadb3a6bf70839f99b0803c62d38
SHA1 444a504fae4d719322e067d72c86cbe595090faf
SHA256 8ff4d4e63ed01b6540d67a1008ba539fe7fc3bea6cf7474e576fc8ce901233bb
SHA512 fd35c98ea47cae82a9adc7e3ac6224c290f9c8399293950ac7c1d7e3b4ac4e649839b83189938db30c953c9d9c71a37ef3290052ead09eeccc0513dd5fee66db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70782a1324efc5b31e34b12afadac887
SHA1 9725e41dcc1235620e64db99dbd809ab6a32828e
SHA256 8f14049d521b2b5a6665c153605ff7872a0e202719a681c6080a047faef7a428
SHA512 0e6702a2def1049cfdb9b61b559e42083a60149128d00252d057a6b4f3ac69ec0ae435a2ddbcd260c0973fd12cb8ff0820a3c6d407f42f84c1c44dac459e39b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 954f4099b3ec67a7d83aecff56896b4d
SHA1 5a5aed1f2b83b3fdd833df54977cb8651260e0d5
SHA256 055eb41862e3d17d6d53510c9b399aee10f3c1744e5d1313b3f5966cd9c43e14
SHA512 c0399a1ca28aa8d4a85f31a63ac05956083ac2241a8b0690e6d93cb05099c985fa05d750098f3939287e7ca53a76cc20ac8360e219008d91458c1f6af0a7c4c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd85dff54ed8f14404bf2055fe419119
SHA1 1339c71f3cb289d55b0bc46a0b867087c9a946f7
SHA256 1c4ef5496e4dd523b46cad75464e70cb88f640b307678566b4c495719fb61ac9
SHA512 d4c4bd59c8a7b15e9e6cd882f33def6ed0816d0152508fa4e7c6b70da8eb7cf31945a92615047af3aaa9e5eb624c29be28f88b6d38442da1935a1667f6524606

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c3a268c4cec8d21288ffa05bf6a9dba
SHA1 2bce30a56769adf751b5a1b991bc981ca013ca9a
SHA256 10e4cfaf0bff6f9a3e3e4a75200b69474b157defe581c8f864e99af97477e50b
SHA512 e3a583f2e0145a45b7f7461b481514799716e61a133add7bd4f231d0446eb46a7e10bec04af3a33d113b0e4fe777324aa4b0a8522a89c071c16cc4a119d62865

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2b1054d39454cf1dd000cdbb8313f92
SHA1 75901558a0ac9605d8b9be9f738b7c802962df7a
SHA256 5fcc667f3baa4d464bd6b2110c53b6c6adfea14a15ee0ea4d65c64c08457ff5d
SHA512 9f885dc2d841c60aacc884c37e322cc5ecccf8a22441482d4d481a7cbbefe5bbfdf15ed9a4bc2ee6e47994dc43ad29adeafe372bab0c5bb94b8ade7400ee92ed

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win7-20240903-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000549d7e9a22aa7240a7473edb6123189e0000000002000000000010660000000100002000000047d3980c0abd6903ef2c71227340f698a909d543b51b00bc92f6e3d70fe0b0b6000000000e8000000002000020000000107b27a13b4e397baa5c40982ae892f97ef1a0b75ba716d7f04aa566c4f1939990000000af21bd2a8474daec12da4793670675c2e1206801f518969e9a5c17ca57a86c2a8c282da6467a8fac65e992565f4e164930e861242e41132752b03866cd122e4bb133f824139dda1d14e9df5684f440cef6d65cab53dd557b5d6ecd3c1a3a924146e61afc13ec5e9705f49cbc555c2a4abfdabe30d1f762f4f9b9c97bdd4f122bc249b29073477a0091f31cad43594f7d40000000e0e8afa22af78aa2980e07503d54148296b81e00ef2db737f45b945494048df0ffe4f1dc0f934e913273c0ed5a006aa874cc5beb104135e0e5c84718df6a3080 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000549d7e9a22aa7240a7473edb6123189e00000000020000000000106600000001000020000000a1506276b1a0d1dafb903b8ecbe3485fcbbd6978a447c3175a711ee199568791000000000e8000000002000020000000b3ea7a154b3517021532be6049f9333fc967bf05af0b86da85e2373de369ed5d2000000007711fcc826982d8a527500e1f23100d89fd2975852ceb64480c557b5b81274c40000000623e53b6f04533e32cc1ccd241df963ae360458f887d2ca59336d1aec45083056b49d2c0757d79233bc190d76e5ecff3e02daa8b7ddf4dc25096eb5a73d97eeb C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c494bd0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8E1C971-BBFD-11EF-B40F-EAF82BEC9AF0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550336" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 2088 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2088 wrote to memory of 2104 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2104 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2104 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2104 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2104 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2104 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2104 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2104 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabCDBE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCE6E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a6e8bd36795b0c34b74f4e634d393d6
SHA1 b3ee1d9c418afcce01df1231e90cc746adb4f75f
SHA256 8c8ed2553eb740ae9f765682030df6ca6f3471649b748ba1c98f0c770c3ae4f1
SHA512 322080c257fa2bdf608530d254759e618299359da9a59bf2e4b7dee88d483808935e91db625cf19cde9b803b99d310f3d3bb88c84282569b269f81b62b407d40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38c05333a69e308b6dec55f2a724ed1f
SHA1 ae4dbd64eadc90673c99578a5764d7a9ee52d6ea
SHA256 1d2be419151f99c47a2c0b96b1e8c1e592129810c2cd1ae45a8dd42fac321617
SHA512 7b6a3baf7a708ac63025b6a487d4f7acf320dd518b9061cd41d82ca294b2766661133505f8c070d48787644b8beb661deb917da20ae6a5303ef735612765c2aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2840b44821b9ecdab846ea33aeb4005
SHA1 bc88440f41d953a37ad3e6e778a627677adabdd9
SHA256 ed4577712a7d38c4fa2083a47a54598128e14048ebeebf1f127f5c0d73b614c0
SHA512 df9478385644cd13a5ab06ad4305a5d937411fdbf0faafa54229a2da1e5279371a97c3ec8f03421915f8367dda7f82dce2f4e1d246555d10752eef0948c1b3f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7db989cf92f28ca45ec1865f2371fbca
SHA1 eddef8b40dd15a63a16b73f00b1a7f0ac89cf235
SHA256 05ce892dd8c17e536fea6594100d1f3c460d0157002a328532aa60bf88618f77
SHA512 d4a2dd50a6955ccf6f9313561f5618414ab37153ca1103294e534eb8e99e01adff52367d38647eaef8cb26b2cb6e3b298ed8449b5655ce63a74dc3e6cef422e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e1a6dca961d6ec57ba62b92e20edc60
SHA1 bdec184e04537beae63baeb5ba8f4c8c94ba80ce
SHA256 073324ed3f5946ec3718d62a6a3068aa48b2c383682f437fab67e3390bed9edc
SHA512 f2d99defe309c5531ccb8519820b4e356d7618f8e5e394b65715d5dd03ba729c31b460a6e9ea91cb5056f06481f6664e0ad314273ffc3e06ef03bccf437943ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 885a28727943b8b93d3c2669253d90bd
SHA1 c3b536c569f7399481c57a067de8a8e1c07fb027
SHA256 405d49b949997d13ce9696cd5f7dd2ea161798e10bd776853b21ad7d58fa56e9
SHA512 cf57d0b5a8d5aefe65c46a67170ed17c0dc726e421b6569c395994e97c982df604a75d380d905d9de852c841f5604c5e5d2aa2bb313d9e775159d90825166b6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bff8448c934450d365a8b220332c5431
SHA1 bc86be648bb5f5ba24467737109e9529db34d950
SHA256 018771399fab39638bebd9d591dbd31c9b725a03d0e086c8fc1511fcfdc2e04d
SHA512 0d3d66101913b68b8740b393f03d3dbd9024728fbd5e0a0353b299f8e45b1833bb16e42ddc2e5773e6c6d3e17dfcae7039ce6dcc1e372c5b34544b28007f8ab4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a30ad210f7cd1ed511df3a925500717
SHA1 0daba2508ceba2a167abc572ed7d840a670294a9
SHA256 aa9d8554e1e399769e21ccc4025de181e5f793d47cf6a7833ab03b1d1d0204ec
SHA512 bd6055f4d71236c8bedc0ac6efbdf77fd3848e4ef8d714ab52c1b618f2fe18eeb7b32ac03a0817612058f237590ff61cbf9f708ac9add45b5ebab684a395593b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19439f50577aae1cded59f6f671d1987
SHA1 9d4806502cb28f006c488be33db7efd556ee9c7a
SHA256 246b464147bf68b374b2e51cc7dd99e6fd28696dd499e4eb44b889f2c2a02497
SHA512 f67f17b127a878082b04a1e36ab075b171e8598afee0cf205b19758b53b9d6b8a3d362a15412f9bf319bfdc2562ea365c16257e4787d70c512b78d77452d900c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdd867f9e4ad155e04589377a926bbf7
SHA1 8549dc9e42402795e4502368663ce4c924c0c2ba
SHA256 1f0927962b813b203faef929e526917d369da5dc10ea8a1e0cb8f9c01e545c53
SHA512 4b17e52bd8cc63ca71a8c1973e39dc2a09bd2bba09530b07b654e3f325c6c68ee8ec4311cc1ffd78560240d1bb6493d8d7477c89d3d415f4c63a5aa74c3ff5c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e890ef1177fdd45da3ca35263bd8ca0
SHA1 5086e2baa2fb6c5440ab0cbe65866d11e312ea42
SHA256 8570e8466ca55b14fd47b19aa9bc22cfc7df16247905da36144bb4cafd7f415d
SHA512 54198d272ccc8f557069e9e7318ebbb118b0a156f586fd884448b1dfdffc7c1f2812fdb8e2252f2388b91d0161d73ff6508bc27a6c25ae30c01876e21b4e1dda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d8c34c774cacbb3a5957886ea538e7d
SHA1 cc956d84211347f7d0dfb2734eea6602f18ab0d2
SHA256 86e04f2bf7bff0d6cf87fe05607c341497ca6cb26c6b3d409912ac787d5f1f10
SHA512 5c3e6a7549588d92f5ed38c9da1d94381c544d682c627a6dff72a6a4076b783bf7cc93ee7179d274f821d2dcdc7aca18b31f2d73989725c13522a132cce54e97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8042efb37211701c960bd73ae8c05bfa
SHA1 e0f94227ae61b70a6e850533943752b4b5271c7a
SHA256 056e231dd191d080643309090e4979af8ff6fa4d9710ce4881aab6fa495283cf
SHA512 24974da8e3cf9173bd1584b25fc0ee4ead02da96effeb3f29703fa6e966a62716bad24a4269169f7ed604a100645d8c6e057fdec0db81eca72341a974e95df97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5be6e5c6238bff864173773987b003a0
SHA1 4a375372ad629817afa9ec0def30b207aa13f98a
SHA256 6eb2bfad5fd9c7ac1c01b82ec3749cc93db127edf405f2cd4c8c64c92dd714f8
SHA512 1b3ab5c4e2eeba17cf07dc72bcea023003a559cc405f8953f731fb5ea0fd21a79b85864ff3e547e5b7c5d317f2788589709e99e7fdee58e7b51252c0548e6cbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2ee5ca55ac4848816ebacd2e8720860
SHA1 5d0947f133e88f4b6080cb7d075edf63618ce514
SHA256 57ada04a7846edf61488d0d9faccdbf3bf9133a2fb6fe4fd864c1e78e19e1cb0
SHA512 376f47fcfe8ccc0bfe6e4afd5a7ff0454335723ee66b158a887a48fb48d98d86c165a723cebfd8d75bdd42e9c7ba9bfd71b774811dd25247da83b7962d21215a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf1dd171effe9ea0506a1eed03ff7aaf
SHA1 2a3d00ad40ed3e3a83a53d01560748327f96f46e
SHA256 280ca5a56922493782878c2b7c1114962099eb77e77e63e5555a526f364ec851
SHA512 95262c828b7207b94e78ea8846d590a6d6a03aa1233cc2edf46e0b8ee0d74a6871e4ea50720225d380de420cbb7b5d8fc02f115b117a7fe694273fc046ee90b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69ff56c9b50c6df69942b0744e7bf550
SHA1 8469033827b0c98229ca08f0483372ad0c0e5def
SHA256 739ef29649cdacba5d6197f18bc5df18851455d5ba1e496f02abb55802bf492b
SHA512 6e964fe077fa10befaba2f050cb51c71014a1bddf050ca5977b097275c72541d89572321d87e2723169b1ded5511a93baaafe971f4b2e3e29f00a2fe42c62d53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6306ceff83b7c16fba9909da7b69efeb
SHA1 156540f3f3fc7e31b13dc775cbf148ede71e69b0
SHA256 85c6b1c66143a7335315e274977fb628a7405b2d9d61ff7e7cc4af3f1ed90a12
SHA512 0c72a87ab62fe11aafc9dace104c8c3a24a283cedbf8205468b09cd95f4f1c7248c46708f3a904965f250c2180b9c7f0c1fd3132f7d8051922cbba78d423ce32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5df6278c9ab8acfaa1189a218979af3
SHA1 9cc99bca77aaae4ac09146a275aa223f85c4200e
SHA256 49d789c986ee0101c66df43f387afa7181c52bf63e8c06a75d89c919369dcc56
SHA512 d8584cb4b38da43b53e4ab2bd6092864a5cae3c6bb431ee98164d801e3dfdf3543ac49eed3d4f3e2b3f0c370a37a4e6c9d30dd30af744e791ba4ad8c381e2639

Analysis: behavioral23

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Threading.Tasks.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000222b7449714fef4b890928982fa9eada00000000020000000000106600000001000020000000fd4d61084b51dd3a2da7000277a341005319917c1822fc7c928c079891babbe1000000000e8000000002000020000000b988279160c97dc78772d8386d01e3e4bf247c0a6f2d6de631f2cdb4186cadda90000000c62eea78f9817921f583db764af717c5e7f6af48cccacaa118bda84e481ad3aaed657d869045b944f9005c4e57cd1005a631b96d3b75b99aa70a4772923eed84b6e86291efdab6451f80bb0e76be6aa32dffa3ff7430d620f12d999457ebbad14c305f98371b57308ef17ad0f1cb116d7d3e1fa86e461651d8bfefac1ae586a2b89362b9c9d92cebea0c924e7722cb3240000000597a6546228a22259d16d4eedf1ec7119876969212276f7b1de5083995ecfb10ef43cb150eba1d8992997f256070dfc7e68cd87aaa951b42ad3f285f474aa7ec C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1036c0bc0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000222b7449714fef4b890928982fa9eada000000000200000000001066000000010000200000009f30830c6a2925c6176b8138d40fdde0d040731e62eb7906470b6ee4659270bb000000000e8000000002000020000000e166299964b6e59dbd33f40c990756da421361c985eb205d7b26c524fa435bae20000000bc8e222a8125cab9806781b28d4e7a0b3c57f95722c8e9f3e9c56a5430a9d9af4000000083203bd3ba8dbc89af4b519ce0c4ba6801012be895a5385136f86e321f768cd8de9fe22df60c63b24c2b0c87dc980c88e2a2e429963c909d4a1f3fdf8becb0ab C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E830E061-BBFD-11EF-949F-EAF933E40231} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550336" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2728 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 2728 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 2728 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 2728 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2116 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2116 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2116 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2116 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Threading.Tasks.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3E9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4A8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18ab01ebd7b5acd601ab088b7af3561e
SHA1 05da0fcd31bb1b09a9491376af8a179f4714fd4a
SHA256 51c65d87c3d7458364de704579cf378b7640cc16470e43e291ee0743851afa2a
SHA512 c9dd4fca533b29b40a07ecb3dbb2e142981bd80c844bd934f5529cd38f4456d2db783d5466987c923981958478ab43f7a59094181e125015744cc6c90dc1cc93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07b78b274d28b41084822f1833f3d1cc
SHA1 47310472c1371046b8bbaed9e29b6123f56b6dae
SHA256 f23bf8ce81583f98893c8605dbe361ee1d707677bfc8e5f3b64299708bde5f67
SHA512 30e8ee8a3018d921c5452b8ba4d25100993f94c9f36eb8c6c3cf898f69850c3881032f3258ea36551ac1de68f6245322b12615f832d227e051c5a5ff629432a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f3ed729924ed287bf4c46a5607f9a94
SHA1 a3a753568705b068879ba53cf8519e190c6a1e4e
SHA256 72a6e596178cd6ca246bcce90557ae9186b6cb95ce22713895e83796f31a869f
SHA512 e86807050983c06af7ef72aa0f720780afc53ae70300942fedb715ce54f6c0c4d12503a6d928ced5c38ae5c63c51067a5e78da43bcbdce27b5aa4ba7e2ef42ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a07807dce4a6407e2403fd0a98e84af
SHA1 3672f639191bf8aea6948eefa63a276ae552e20c
SHA256 4ebc8130f7b1d9ec527377fb5de4c1a9f70af325d3f8a446958ec5ca42ac88e0
SHA512 30fc9825b4a40489359d9b39c0e0c8b2be14fc478debabc704474c261a2db2daf59c90fd7b63a61e44ac00e408ee3715bb028cb6e6627f3e7ce9714620c9d5ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18f0f9334a06ee9e8277d775cae68d66
SHA1 5cf142fa7c092f4d434875bbabeb8da0245e9cb5
SHA256 c39238b46997a00dc8a1231e5321ca8bfe7df10ecce1b72ef4715697023671bc
SHA512 8f4a4b2f30f0cb9b2768c1a90989c5a39598c70d90b489cf058dcd9615e71d5b8bef0683e0e0ca66396f0ca422362f14890c84e752b315604f244ac4b64d474e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a15a3314da10c4b44177131fb80f3989
SHA1 3cfb153d2c7a6234567d522525d224afd07c85e6
SHA256 594964f697deb41f4e25ca9576f7598856b04615e00ca9be26c1c46590e05f37
SHA512 451d8e950d45431910ce391d98dc76d55183db920ed961b4d6411abcea7a9314377e21fc186e097340670c3730d8399a94b0a872ecc78003f37d56fee349b31a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bfffa402bb58475c0eb747f9dbc0b41
SHA1 45afbacf2d094dda56cb629b0af16d08cd5ab0c6
SHA256 7f05bc77fea98fd7d9fcd9af5c513636f1769fc94261979e170d96467e45ef3e
SHA512 7fa33a72a8af0f752d9c51d35f3cf0d3c4e5756dfc83c03a1bc61f61c25d5fbafb97a71c19ea700e323553c37a24c54616396065eb182b97fcd02d6d5f291638

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e27b3107c249aea84ea79fe1960b9e75
SHA1 eeabcb6305ca59643f2428d0d1e677f1a98438c2
SHA256 2141fe5652436ccf6ba9dafed5e4d5c6f1fc43cb7c0ffab0270f13cf43c74fde
SHA512 d3030de093988edbb78084073720bd174936c45e41d120aaedd50dce01e870d7b5b64b8237e8b930ac9c836129204d32e401851cfacdfc36f4ad1e5c46913852

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd52c92847ac910ba8d3078e4d90e314
SHA1 15f6c646022df9b41abfd5f0563831a553ef70d3
SHA256 8854fee0f34e9da81b7e481c53229c1e58ec9e60fd8561d4be6dde70966bf0df
SHA512 751e69583f650197a55f6f23cf38fb044f1d94fb7d323d68ea74fad1927bf4baf9b27a14e8e4c4d39baa91b6f403adba0286aafd17e523dafde8934c1ce76590

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e079c9333d44ae6c5bdb042d178b105d
SHA1 4c3474c9d3f54fa1b8d5c425c384dd3a658320ca
SHA256 4870132f4ae98be7c4f850f16262266bee5eb609e53d4c49f8574859561cfa71
SHA512 6f02955bba4fc4af09b5f6b7657da2002d6134ab847bc5ccf5ee8ca28658050eaf5c550191bed6a645879d1dff3a761e2fe41c892ad94be0a97712662af43cd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4aac18d6872da82f816f99a2be0c0f82
SHA1 c8982b4b8cf691e466d7b13ab4a9fc0250e44543
SHA256 29e2da8efad1823a22b5dd9b01df0a3eb35407fb41a9aaca1f1366a6bc30d00a
SHA512 04cd5626f4206098c8c3925d9d0dd7a5a9e0856b11859f72d3da7d8e119bc85806ae0a91b61eb2adcac4dc3c332f53a3601c310e0abe4a9390b0182bc9cdd8e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de987200f44a733946f76eaa533cbcc9
SHA1 536d0d89a9343ffb3705c49f26a44afd3fd186cc
SHA256 a4b638d549473c74af18ec137f60f0c217cb564e3e53e3ebc491e944da609999
SHA512 810f99046181c614bc651157f95507f29fa88914688999eb86c0f47c0d82212e2416c425519e1ae5d24ca3a9f8d5b7ed99fc76dea53c8b48e68e74bb42d55833

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ccae27c7c7fff4e0f412d3123306aab
SHA1 568712c1397654c6670ed416bda0f6e8908cf335
SHA256 b552073b859e86072503c716ce995133dabc2a755781effa275ddb274e180069
SHA512 583087852454e2c5dbb954c9857c363da5eb3064caf85490c39c4ec91f6e6bc5b7a113c81729b717d54f182259e0d12eb4ca3a1ae4ff34e860b4b9f218ff76b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4002229c246c66ddd7d8e9c89ba774f8
SHA1 9f2a44e8c8737735f1b737f186334ecd07015708
SHA256 5842a3b4405456a15b280f25dc591d48e9d0c7324231675a58aa2a12cb3ba59f
SHA512 ebf393019c9b6e6cbb992716468fb654093e90ace4cbc841fd7372bd38fc9d73efca7c667b3ceaff5ce52ce82e1c2258613bcce32b942cd5fb0a792796258951

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6258c32e75379c1c5b4b446a39735c1f
SHA1 8cfe8bc2f809665842b9431483f901c87bdaa53e
SHA256 8859b7af9cea0f4bb63fe6fd56e372fb75709805ca9e3a75dd987affec631a92
SHA512 0d119304baf45efd4d67ef113ae7ab20779d728db3a16e3e3bc431208633d76085db6e4a3b2a34ff34a159406c7aa80097534dfaa94e03f2eeffd60e7ebcdd50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 375e6de2391c888c2f81919eb1279ad3
SHA1 5471eb5adf34dc1510347627e8ddc9a59c041d4a
SHA256 e60d9fcd5d37abb34320c992cfd0aa2405dc505165c494daa4034079440f7822
SHA512 87d680220b42cc71ec52c7fe74d81ef63b3584ef8c9aed2c9927e055fcb534ea8d7987be0d4df24716ff28d0f91b7b91f6e50c3f94f43269e3c7b4d6c13e0424

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31f8d56fe675fa731171f009d5a74b3a
SHA1 8ac8c1b17a0afbf67468788ca866362e408794d9
SHA256 25f6e67fe878b47a4ce76f95f3db0e576b0abfd73f0a8da06dfd423b26c145f2
SHA512 bbe3c95418e0341acf4472aa5a20b207af3f88d2099f4ab94c2904887d5d16cc37514573f3ed47f753c1466006516cb8235b017e233c67d3c16a94febf926500

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp

Files

memory/2752-0-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

memory/2752-1-0x00007FFA7C9CD000-0x00007FFA7C9CE000-memory.dmp

memory/2752-2-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

memory/2752-3-0x00007FFA7C930000-0x00007FFA7CB25000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win7-20240708-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT.rar"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2440 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe
PID 2424 wrote to memory of 2440 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe
PID 2424 wrote to memory of 2440 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe
PID 2424 wrote to memory of 2760 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe
PID 2424 wrote to memory of 2760 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe
PID 2424 wrote to memory of 2760 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe
PID 2424 wrote to memory of 3036 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe
PID 2424 wrote to memory of 3036 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe
PID 2424 wrote to memory of 3036 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe
PID 2424 wrote to memory of 2732 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe
PID 2424 wrote to memory of 2732 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe
PID 2424 wrote to memory of 2732 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT.rar"

C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe

"C:\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe"

C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe

"C:\Users\Admin\AppData\Local\Temp\7zO87989447\Orcus.Administration.exe"

C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe

"C:\Users\Admin\AppData\Local\Temp\7zO879FB087\Orcus.Administration.exe"

C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe

"C:\Users\Admin\AppData\Local\Temp\7zO879AD7C7\Orcus.Administration.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zO87984267\Orcus.Administration.exe

MD5 1f47b14658e28812b452ba2059df1610
SHA1 5cd43eb9f52093b3d27f6d41d016bb9bddd9bdf9
SHA256 0d5a4541da4b8a9613fea8c160596ad697580c8f5f72e4e2a5245f58e67e7803
SHA512 2a26eaf4757a938a5335f5a5164a30aba3eae10d682ba2d6c5df934288ecfa5ca20672205c86093c33aab7288e0ca40d18606761237ab9178bdc65e13165b807

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\FluentCommandLineParser.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4708-0-0x00007FFE54850000-0x00007FFE54860000-memory.dmp

memory/4708-1-0x00007FFE9486D000-0x00007FFE9486E000-memory.dmp

memory/4708-2-0x00007FFE947D0000-0x00007FFE949C5000-memory.dmp

memory/4708-3-0x00007FFE947D0000-0x00007FFE949C5000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\GongSolutions.WPF.DragDrop.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/1756-1-0x00007FF8EE92D000-0x00007FF8EE92E000-memory.dmp

memory/1756-0-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp

memory/1756-2-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

memory/1756-3-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240903-en

Max time kernel

117s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\ICSharpCode.AvalonEdit.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550333" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003effa63e9c871f48bcc98ee4333611cc000000000200000000001066000000010000200000005b72fc39c176b3c9c90fe2fe4e1ffb373828f3e05f19dab1141e9419e3d2ed3e000000000e800000000200002000000057a29032a16d9c974568258ffb16185e3140e9b8f12f2eb587353c22afff510290000000ffcfe8945af21fe5db762b413a93f3d464b3bc385472d329cbcbebd6bf2260999ac7075e9ec7a841c028e3e47f2264798a83c7ba0f21d28d474db5c5080da4a3140fdb7cab4c7912ba5f7faf4e477edb73157aa9f4f4f45218e358a273d4312967234aa4febfb186b80e8529002361aa440ad9d673b1767f599d11535323595732af766e5a660e941c4d90132ad74b96400000000b5bb99b08890d6a3bc4e370c3201f16637024bf91c640a8d1348c340c02a668fae3113715fa0a78eb5050dea094bec42a629128c9c491fb104d16d674c4c1c9 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7C247E1-BBFD-11EF-8778-C60424AAF5E1} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003effa63e9c871f48bcc98ee4333611cc0000000002000000000010660000000100002000000070f847667bf7b2c3f7b6c30aefecdab1d84b27ce6b564a6309faf14536735074000000000e8000000002000020000000b129b06a592848319f0d0146ffedfbfaab642eac3d444360c47b74bbcda848a5200000006ba111b73526f724d87c1106eea52f99cf7315e3820e2fdc8b08d730276b9622400000006f2e81e22df5c0958d2c29623868e9e2d5c8fadb74991fb8429eea44023c878c31c2fddf4b254a1f299b64bbb0f96271d06cff1eedf9d16566ad0a56b27e952d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02aa0bc0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 2864 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2864 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2864 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2864 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\ICSharpCode.AvalonEdit.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3084.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87d2517a93ad1bbb4ea2d4871e9834ff
SHA1 7f8d36ab9eab73989647a9183179abffff7da690
SHA256 75c669e934a224aeb78d66677864eac36ed9686319ebd634cb0a1a5b102a5d55
SHA512 7798c3b4d335ce34f7972841e805a0c0e2c837fa2e03f06052b7c01787bfb72088086d2ef8bd0c68257b6aadecab45fd55fb000af9c96d42063e354a1bd36643

C:\Users\Admin\AppData\Local\Temp\Tar30F6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 342d18334b696f1b6086130dd6406349
SHA1 3a9f4f2c3e5163b1a3bae78be27aaba1b627f5b8
SHA256 a08378f018c95e7dc96cb8023bc1819d4f44b9bca1bcee74106d03291bce3019
SHA512 db09214638b44e52645cd5cf6bab5617b193b870324135dc24e250fc3576e9feaf65fe452dcede8dc3cb722d540797579f0a52ff801950e10dcb6b92d7b4ec3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b64068d4c17a179ef6cd9c8e2073d94
SHA1 9de6812ae73effe4a63f68427c3d8bd79f5e7385
SHA256 ba9b303a947cfcbb78993cda1faf5bd1ccabf57ebfb949aaf207ebe4d9faa1cf
SHA512 fcf162c8aee4acc8c897bca3869600e794b123d440603121e0177219dead51412c6d4200750c91a429ae96b85d2977f2c99f393b2bf5992b055b91cb6ca66ed4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f78ed1c723fa929c11c8811a997639d2
SHA1 a64f2d2342668b30a013b7716430cbf54dd5c5e1
SHA256 4531518eb305614b01171fc46c886239b54e19fce3ac0046746b86d830f3def7
SHA512 c02d12190ddf45332bbc26d8f8278d0288e78fa9be6e6b5ea6055f2482ad98d9f4c1bbff5f1209198fe9214bcc8d39d51adf380553e85d916ae46551c4c9d4b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6068565153a9fb49b2e741c2f5be052
SHA1 e307f358b49f5d9628086cea8fad771b779fdda5
SHA256 af7b550a395fb60f9932d59e5eb80016e579156e0eb500c0def4575396ee362c
SHA512 68e5106a9eeef735f6e44a05f73ba932418970c2aa5de9a8ff54a6d5eaf7f82503939f6ebdbe4c8c7dd9833b1f08f28a518d0ec577f7361b837f6ffb2674ddb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21253c6d81aa911394a5971c40a12ecf
SHA1 6436922c7d5975f5c846b24e0810214c9660e323
SHA256 1f97bd1b0efb61c42ab28de0fcb55fe227701c2fef8c399655e71b2253d826e7
SHA512 6077c79f9af876de02ad243441f94d4cb619401e63f7636fc5af343b93d4d680f17d6ff964acdddd126932d8a947d8624a91afa1028199c2c82d289a42f9e08f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a178d6c5f37d464eed37e0a14094375
SHA1 3870b31880696f10439f3eacaaae40766e670671
SHA256 1fbd7dc4e9a1fed625bd6eee40b1aaecddabf5462629879b1dfa65ed6b92c792
SHA512 5b5cf0e984f5dc79e04b79bbbf95abd5a6fd512d2d7aaed6cf7aa7501b8948e9ff4292814b5c218c1066670c0ab59274f0a09784e0f2792e50342b11c3f0018a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8070bc79c2f98cab2098e19759919723
SHA1 3bdf92c4ef0dd5ba97d4185af08a0e17f05bdf76
SHA256 074cf6230f67485e0ff3bfb716b553d93c9bd69343536b0735c93bba4304a5e7
SHA512 8b255b1691bf75c7c42e1707471983f15e5a7963fa5a2f73c87f5704268d74d9dcdba1d58edda9726d7dc27409429812566fa1d822fa235a55bbc0fda924126c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40af10bd7b093029484ce6706c813640
SHA1 2c72f288d27dfd89db9d6d408dcefbe5412e0c7d
SHA256 9faa69077918c6eb956af15ed116307d04d564346eb516bf7e8e7d4041068c28
SHA512 dd4b705daaad0f4a2a59b522da235c6ee632fa8f33706365a012819bfd051ed3dd1487b55f9515ee3ab5218618bbaeccda6a959b940c17259829ec8c18b4f88c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddc24c2f90804c42e0931a595f692e55
SHA1 43f3101e5d4e290faae307b188c7d8e21afdb4fa
SHA256 c60cb267f0cd501b80d8ae9bf546b9badb93ebbd897381223a26d0dd074f2440
SHA512 9ba31d5aeab050feb1050a6eb217b6a64d7843d8055640f5840d2571262f4264504b05fde4cad560b805123d0416a697e991329a1e9162a25eb20afe9e461085

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5634c8928e28e2425ce130b6d2b51f3
SHA1 36348564ce72634188b3d1287161ee4e72a971a5
SHA256 ed4d8c49a55ecdfcc9270d95776d2c5d901aea8a9b44cf95673954527bbb5178
SHA512 c88f4496acf2ba0f70c252d51043df7618292183816726e28c2c1195600e85a75f1b54fe7771e3459a78d53b52ab1916b09b9a90b1a8a7f7459d0a8f00f8fb51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b90ef54e3cb90020447276a78f149f0c
SHA1 5fc49bea1b7a203dfab647ed9b5b1cfce622775f
SHA256 ca20f6c925c975052227b05b8917667a0403feeaf7f65f766c58e7ee3cd16e39
SHA512 0be33315ef9a97fffb808c9d2b3312a027806ceabf6a67bebc9d49f1a2a73a4864d826d721984ad4e16e3c8f71422a859eb7c71e20fee262de859c15bd5e17df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42297cf2511b59253a8dfd5305718858
SHA1 f78254b3bbbfb8ca26b13784855a0c8392f32cbf
SHA256 c849c9afd0297995e56d5d5621e8b6d31deec74937c7d401e564a9d0f6990257
SHA512 b75b6e998abd1c4ca6c77a0f92a51318ddccf1045d46c5de050c54f0b8a7491a13a04a7dd18040a383b2a2e67ebe7065bc18b2a4fd528c51641a5e710ff6a1d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb1d5ccae5dc4346a8de5c44f444f0ca
SHA1 da47b82891b811f49187d8b3f4a48e2c838e65b4
SHA256 bcb9078739e5608ff18d053b877c20f14823e37bdde2f1a04089ae4ab39df023
SHA512 14d33c8dcc66911657c8cf88dfe41a5c2064bbaedfc33189f665716eb70cc76347902dbd5db5650fc73bd64bff08e8cfa88fb2edeba7f2702f1b28d3a256c06c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9a3c8bb791936fb4bc2f84c4152d315
SHA1 07a09d7403fdac58fd6bba3049e6b60397e20a27
SHA256 2b017040882be3066469f1bd890d71f7499bf78ce74a58de61aac244d378c783
SHA512 a0d087f2da694ea926c2eda58417a99b959afb8ba10d9b731323826030706000088a0f60e6f4c2520af7af9f0a79b9a5d73500f41b54aa193d5ee1121e232cd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f592451b91c3ed53f6e6b60c8c9559a6
SHA1 e183fb3ed8d7dc5ead62104212683c41b9dc18dd
SHA256 f8acf68187ff320cabc8e5ab64cf2089b48d07121dc57a03bbfe303c3beff0de
SHA512 4c019151df001fcb287504e140c19954bfe1119a8c75a215a8c6a4cf43a4cab76d211d282fb238e5a2a9356a598a0932152edd76acf40e13ff2a40e38181a177

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9eb4b36bb7cf706998f46dc93e17b929
SHA1 6751725758f48f53f67fab5cd8c5520083716886
SHA256 658b664d47a6bcabf2130df3050995393a29ad5c737dd64672245a14ad46c737
SHA512 9058662f86624c4f8bed0f550094712dc247bf7d42209bca1d4cd97a825f0ddd10c012d904e6d58f2edc72b3d68de2eb1aed86aac0186924018c8ca6422fef4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8612ebefd22fc6ddce071ad792457df
SHA1 740cdf7c01ed25ae8148d45ec5f0900105671287
SHA256 df2e40eb3307f407f6c87cf0d3a654ba90a374b42207b1751f1e26f2cafe3ac8
SHA512 4c361ca6561cc07d8c1e202990f4198c9425cd599862bcc08ab5e5e7008db5936872ae1a52f03e124c743ed45fce986bf54c799843cbf773034ec624960455ce

Analysis: behavioral21

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:36

Platform

win7-20240708-en

Max time kernel

134s

Max time network

131s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550333" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7294401-BBFD-11EF-BF23-EE33E2B06AA8} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506402bc0a50db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b7f65798e85d04b8d2f5a1126d794ef000000000200000000001066000000010000200000007f5fe10be7bd87c62e9cadb7c3619eda2e5c45a8a51675c416f0074845f94853000000000e8000000002000020000000563f73c3564ccdc801de62152ee6a5b8f6d316faef4a9aab3f728af45c4cfa8590000000c87e05a6ad0aee27c62585336d1d0ae257a0dc84116737c57adc8e15020bd9733029aeb5f61ca79d5443564b38df6000f180ff9de3ccc50d2f206f58cdfa227f7ddb14dc590a60a4d8e438858a8293a4172e1007b76255220d33083c4b94593e8e84f2dfc254155caee4652fbfa465a4ddde7f7f6e4a567d364ee02d01925e6891939a0fec46e19f730b9e5929f98555400000002961de223ae0ed1e6d39383a3317e68fff1bfb9c11e84e39c384e37812d82466a03b445f0813b9b85899927d2f869887df9194734de2f5a6004f7c82bf94bb02 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b7f65798e85d04b8d2f5a1126d794ef00000000020000000000106600000001000020000000136c85e8a67811545bf596969004f58b02d47095465c895a34b77891d7c5b847000000000e8000000002000020000000e8a00be1ddf90676a7292b4a753367ded5ddf8acb6a95c4f8164e20a764d53ff20000000a0e8c25b67e56b4fc20fc4fb6ca7efdc23f028eb070def54d89a7eda9348bf0d4000000018b34b52de147c88d529b555a50ade3eca55a8918b9d5699d21f4799ed6b683c604b169802d6a8bf11408d9f2a56fc4c3380441d8e3744f13ea2dbb4d018f46f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2176 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 2176 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 2176 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2404 wrote to memory of 2176 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2176 wrote to memory of 2200 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2200 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2200 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2200 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2200 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2200 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2200 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2200 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabD902.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD9C2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3db626043a9fe07a8e44b09db9f53a51
SHA1 e6b4dd4d1796da9de16a31d25850a393f1fb156e
SHA256 cbbe352ce45ffdcad23004aee8542e61630d1c05bcc8553c3b828cbd2e20d990
SHA512 7640832c1256b35e7e4809018217f8d3927ed2fae2d65b8fd1962205bef58206dfbdb037992e74219f1f82b4b3d1c99ce4e55304c3621bf23c671561c4a7774d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64ff93710fd4c6b477dd2e477a725cc4
SHA1 d1f42644b099e1f2c991b818ecd2f988a651fb3f
SHA256 143dfa0d6d8d0f4471e5bd915ba899cb864ccf7ea9a2131535fd2fef882d7160
SHA512 e6b8ab4e73d33dfa60d73b90cb39e92012d64b4b07b324c4a71770aedac2266cdba6753b2cdbccb511432ced2f631e3e441988494d665d980b476c39a8c15a1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a69f115554956b49bb166df0f70e866c
SHA1 814d11b17376d3b5dc0a4ec83f0fb2778cbd2380
SHA256 636550b6b6840fff9792df3971b03c19b02aae93425a7f060d88eb4390fa5799
SHA512 8066db5d87c2b258f90174cedfafca4de9df32166a3610c29d1e86f04794a633959048c8577c844731b4de35810f342c4606464d4ab0326660b360a59f3f7f83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 234853b1f0ad7bd6ae6c6c6c0924de86
SHA1 9590748ebb6acb5ca0288f70cb72a2dcc4603edf
SHA256 75933281953344cde1849cc89a0503ee78c8664bf2ef5200f92463a02cf66f68
SHA512 12fae1999e4e18721ba8e0ed334190a16bbf1fe6fe4bff38c6d20e4c15509bd8928a5b4d896d072f5dc3e752ef701697591047ed483bcf2fa2805a16f19d92b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43d43d1d894bbc4a78cdc049a78c2b50
SHA1 e62e74275b4944b66fc3446712304e60a44e33dc
SHA256 1aee9acd83fc9c3cb578fedcd01c288c1a12e93be9b07a0440c8f440d14c579e
SHA512 a93305804cfd51ef086d9edbe9e38ac7cecf24971c617fc61b606beae07c6b3537284070068cb3bcbd1983371a2d3a5cf30fe40315b7c1fb08f40fbfdd269936

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff3895a56b7484c7564b2915bef3ee4b
SHA1 0a216593aa97e9a4d0cd788e1b8884800c80a813
SHA256 7ab78103e62e883d4e37c47fa68c153959c264e44ddc2b735e13479d646a1b97
SHA512 d8fa68838f4702fcaa9332a065fd1c2b3bd72e11c069e216b9dd13eef64a45c3dc743ca4a2f8cf6824c1b091dc35110950e571eaffa0142e22c17f6259698380

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3c51fe47e10e8307abeac28113bb0d2
SHA1 d6bdd7b52fe859436156f8597176f19b98f565ac
SHA256 e904ff4746f2ec61b723536823ef7f53de743fa1ecbb610e23ec781117407ed6
SHA512 89ed344ef382253d52cc7149f3a1ef6a26eae14e10340c34e02501c50f6cfbda52ee5c0e6f85861139c73964eac725b3ded2e598551c7d255db3e9835651a82d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43ee155f2d3589ff16ce65f81c879cd0
SHA1 cceb01b111604bfeb20d4ce9a173268fed0ac089
SHA256 a61377b34d29d907be9e650de8f26c56b243c9f7363224514660371e79382575
SHA512 a518d17248f78de942b22cebf3e8b6d9c0e18a9870608befe5eaf4b41bc0554da3e59beb384b3f65623302e1b573c5eddf0ffcc448ce88dcbc0adef793368068

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e73ccdd22154f7674a3f4867736cc21
SHA1 fd2dbf1bc2ee257b2a25019dfee65bcdc195d4c7
SHA256 5d57370b9322510be65ebc59ad26011e9345f0307401b8b7a01b0226c6b15afc
SHA512 722396a21d11cd0ee652d277fb76c2ff14666e188f71caef81c78ff40e885c2ee3f2e1a3fc854a1583039c181146c3c7da1702d5172ecd1a32df1acbd3b2fa1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8429672b2906a194139c0d0b388526c4
SHA1 98c0feaa4d048a15c2c7eb47544dc75be0edcb8f
SHA256 e0ad82a786dbbc543980a819d0cfea75a1f897d6ea98b551e529182e86275116
SHA512 70d3ab0755dede8fe151cf2e2480dacfe234d0d3926c89e1578fe0e8d184e27cb2f41fab412b2b8ea033e9655e68955016e87f3143a29f7dac12d24f25f19876

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb7600e9c4e5587cd937f33cc8faaf2e
SHA1 2b6ae12e2b0bbc6cb339099dd975867e97219690
SHA256 fc2ecab141e8735d4edb864c42a75c901fd22ce4fd9d1248e06972d2a3924b24
SHA512 1237313183087ed360818d495fb1850d1a728af0d0ef8d9b3f664c3bd375f069f9eb07a67c981c030299c34df43b340fe7721f794fd09544cd38739100fd45e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 119db1551bc233bca7afc16bc88bed6e
SHA1 49417aac04c5ef289acc727631658f01a4bb4159
SHA256 0e9f502055d8a3baad7e93205e7246911ddb10f34259ab1bb2f091bc9f6dd8d5
SHA512 791b849ecb25c1f4a23af2bcacb5b3763c1344cacda3bec8c06b0a8a44207ce5bed88cf5ea80b434eba712fdec43d6d5cce7103f242bbe467a1880833ab54ea8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3bb782bc906ddd6f0064a3881ae0260
SHA1 d3abea5a20d68bd75b442f18c0f47d77a5d8a42a
SHA256 6aaa5cbc13780cd6e65f690dc3251b96b2f877a9e0b9b0859ff1eccb39ce2f91
SHA512 03cac63d7c9ae0ca4f15ae55397c2f9e3ab6a3c8257d615740767dfc66f67f734b7cc0e3d515af5985ea2fd70741109156548887333657749aa891d41410a6a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 762015570a1a9968b677843809dccd3e
SHA1 90a898c311420a65e6d1488d4a45bc02bd6ba7d3
SHA256 19e003479e74f8d83124c6d06409ff42abba7c5f7794c33f387cee8c55b9fe07
SHA512 bff79c1e66cebb9087c8025d50043c7041beee5c7b17b12d8b9dc023701c1c6be4d3e3a53f88ad1ad8da60e50ebf2b1effbf8bd13ec6782521ba27402f19ce04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42a154ace60071fb835b4910a5c0dbe1
SHA1 bf5342fe0680a0b92e17402b2605dff3f5daa589
SHA256 95d4dadb8295dc9940eee978693b7bd973e26ac717c61663c3ab9e8e663f5fae
SHA512 7d62db6008a6129df1ef047a8c40d99110b35464e1d4f6c77c1f42828819cbd60157a5b19925971b3f41efc0c313fb5bf5c0733792b125435c2086afc37d3210

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 993f0e0a15dcfb364908ceff3aa2f85c
SHA1 00bb7af6f66d3c84595f0b0cdf7b1f7ae32bb493
SHA256 d7420813e2216ee17ef6fd33f38d38b7a9b9c6bdfda6d1bdd42383ae1cec7e00
SHA512 8094129dc5d75258da37b37e7456556e54e32285cc5d1268f0ccec4452a5a63e981a0b4212e2080fd6420e54142ff271f4016fa5dcead24b9ef8d47005766e38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2a2999280b2037a1c3a8d6e545fb06b
SHA1 f183141697a956d0776461882d156d1d2120c310
SHA256 7f370d49f7c3545b8c2dc2d5a54e062535f78d8419abb819e49cd59657dc338a
SHA512 6956ebaaf1e001f9f077a8954a485458720ea4ba96703a9d88e237913fcfb3e52486a31af2464f5aba2a0ed50e678f9d0f2404f5498ec655c82c756dfbc3ccee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1bc96ed6020e3c09d35652f76dbb11c
SHA1 3b8966be783c37a110595439295196ba0ee77971
SHA256 f09e28b6f712c8f2672232d3266d55db7c2c5b5dfec4b502001b3b5c8abf87d0
SHA512 6282929657c7a5dbb689cdc9896fbda03f67a5abe5f2d45b8b18c25203d303587545755bf2aaa6bc6ff163573570fb92cd7f1fff462a2707bef6172f4654e158

Analysis: behavioral22

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\MahApps.Metro.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/1576-0-0x00007FFD7BBD0000-0x00007FFD7BBE0000-memory.dmp

memory/1576-1-0x00007FFDBBBED000-0x00007FFDBBBEE000-memory.dmp

memory/1576-3-0x00007FFDBBB50000-0x00007FFDBBD45000-memory.dmp

memory/1576-2-0x00007FFDBBB50000-0x00007FFDBBD45000-memory.dmp

memory/1576-4-0x00007FFDBBB50000-0x00007FFDBBD45000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-16 22:33

Reported

2024-12-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Signed.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4840-0-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

memory/4840-1-0x00007FF81CAED000-0x00007FF81CAEE000-memory.dmp

memory/4840-2-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

memory/4840-3-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

memory/4840-4-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp