Analysis Overview
SHA256
27426ae7867ec686e6dff221ee8b13d59b0bdc13244fde1957442e03e26c07cb
Threat Level: Shows suspicious behavior
The file Project Iconic V3.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-18 02:38
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\DevComponents.DotNetBar2.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_clientids.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.252.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\_shellshock.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\PS3Lib.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240729-en
Max time kernel
89s
Max time network
17s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\ProjectIconicEvanescence.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\ProjectIconicEvanescence.exe
"C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\ProjectIconicEvanescence.exe"
Network
Files
memory/2532-0-0x00000000741FE000-0x00000000741FF000-memory.dmp
memory/2532-1-0x0000000000800000-0x000000000088C000-memory.dmp
memory/2532-2-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/2532-3-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/2532-4-0x00000000741FE000-0x00000000741FF000-memory.dmp
memory/2532-5-0x00000000741F0000-0x00000000748DE000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\Readme.txt"
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\XRPC.dll",#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
109s
Max time network
111s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Deep Blue Theme\config.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Default Theme\config.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
125s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2980 wrote to memory of 2788 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2980 wrote to memory of 2788 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2980 wrote to memory of 2788 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2980 wrote to memory of 2788 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Cave's Theme\config.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Cave's Theme\config.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Cave's Theme\config.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | c06671635f5b768b82f2ec68cc00e996 |
| SHA1 | 7d9d880054b85144e7b0840f580bd25fc4cc6aab |
| SHA256 | cbcad10bd279d8f56f649ea968181e72ecbd9a2b769491274fc112b41fbe5357 |
| SHA512 | 33f91a7e094d7ef0220925a978305bb50d378d0759735838205f5e6ca91df3d000398c561d6aa728e18c974a69bcc9fb760181a415a8de5ca7b5b178dbab029e |
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_shellshock.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.252.100.95.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\DevComponents.DotNetBar2.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.252.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2168 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2168 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2684 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\_shellshock.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\_shellshock.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\_shellshock.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 95420d4bb78a1c3aff58aae6e514a969 |
| SHA1 | 5b22db482cb8c9b162e99f63163e4d38cb40278d |
| SHA256 | fa402590fabbb7df57daa37fa0ba6f22f3009d73f0965e7f06bef97bb5b23b3a |
| SHA512 | e5310dd901ba17a2afdd0cd420e772836272f0912ad322e0f0c278018c474add6f436f0895e9019919a02df948a7b21ddbf913263b6285f0b285cca5143ad586 |
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Blood Theme\config.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BB96711-D545-11EF-A02E-FA59FB4FA467} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2604 wrote to memory of 2824 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2604 wrote to memory of 2824 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2604 wrote to memory of 2824 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2604 wrote to memory of 2824 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3.rar"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://appdata/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3.rar
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2680 wrote to memory of 2916 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2680 wrote to memory of 2916 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2680 wrote to memory of 2916 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2916 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2916 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2916 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2916 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_clientids.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_clientids.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_clientids.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8bd77bcc02046d43083ea000064af838 |
| SHA1 | 1e214a585d5b61c52b0bf172c8ba54ea2d609382 |
| SHA256 | 250d784659b4fa14fda52a183f6b62062281b60ff127947b4e8ace03a91607f8 |
| SHA512 | 582c8e4196552fbaea6e931a2a72d1278b339b172c48d2496b9d54f8a812bafeebc16218ca287c0543f24bf081973370e87da6915db6e211329aec6b699192ae |
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\Readme.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20241010-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3052 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3052 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2044 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2044 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2044 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2044 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Default Theme\config.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Default Theme\config.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Default Theme\config.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 07beae21a6cfa5ea009b844a5c160947 |
| SHA1 | db5b03d5529939b13af2c5d9d7c2af8c7fe85a18 |
| SHA256 | 4723a0190c28c572d85e2a45fcc6af2c4256d22635f91cc13f489d4f242eb279 |
| SHA512 | 32d13dc44c78ce7d9c233043ff9272e9821491cb30adc41604b768461487fe8287a22b7db91020dbc0017b3132f76993dc5addfe16b3e579071dac5cf0f6eac4 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
99s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_clientids.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.252.100.95.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\PS3Lib.dll",#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\ProjectIconicEvanescence.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\ProjectIconicEvanescence.exe
"C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\ProjectIconicEvanescence.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
Files
memory/4164-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp
memory/4164-1-0x0000000000650000-0x00000000006DC000-memory.dmp
memory/4164-2-0x00000000054D0000-0x0000000005A74000-memory.dmp
memory/4164-3-0x0000000004FC0000-0x0000000005052000-memory.dmp
memory/4164-4-0x0000000074D00000-0x00000000754B0000-memory.dmp
memory/4164-5-0x0000000004FB0000-0x0000000004FBA000-memory.dmp
memory/4164-6-0x0000000074D00000-0x00000000754B0000-memory.dmp
memory/4164-7-0x0000000074D0E000-0x0000000074D0F000-memory.dmp
memory/4164-8-0x0000000074D00000-0x00000000754B0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Readme.txt"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
98s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Cave's Theme\config.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 2224 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2516 wrote to memory of 2224 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2516 wrote to memory of 2224 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2224 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2224 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2224 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2224 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Deep Blue Theme\config.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Deep Blue Theme\config.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Deep Blue Theme\config.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8023ff26b2626c96584b2e4e6eac937b |
| SHA1 | 71acb48c3e9b568e4e30a0bfe740b5d619d6e5d7 |
| SHA256 | 3cdc64df436e4e7533a5d62fe369513e883aa144a28d6b5366c6d5843489763f |
| SHA512 | 21553e677d2f2a4dd6021b124588aceefeb9f1a81f0c35575bd15b587c5e3b34ae18e822945f979aa83f778ddd90436bf6e57860c5d77a8fe2441551931b1221 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2728 wrote to memory of 2620 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2728 wrote to memory of 2620 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2728 wrote to memory of 2620 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2620 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2620 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2620 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2620 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_shellshock.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_shellshock.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_shellshock.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | fed9ef4da221248c3fffbbac5a1d0f08 |
| SHA1 | 8e3ba0ab0922b3c333ae4c28cc71241b6e974b36 |
| SHA256 | 8fb33882a2ba051e73836dbc028e1efbf692cb3d7a848ab62519203c451f9c8b |
| SHA512 | 624f23576a277abfcf6aaf93a7a50202d92f0f679c5a1b69fd4ecac963861d776be80319498a0e2153721e43a8908ab6501481dd847ecb9408cc25a16c519859 |
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Console GSC\maps\mp\gametypes_zm\_shellshock.gsc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1788 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1788 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1788 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2676 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2676 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2676 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2676 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_clientids.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_clientids.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_clientids.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | b74e4c370a623ee060f825caf628cb99 |
| SHA1 | 8115c11857f4df6ab9060e94cf46babd23fb2e82 |
| SHA256 | 34124d45f5c754806319e8010836f45160bfbb68f681dd86c237789a680bcd86 |
| SHA512 | e7e64d1c681dd9f5a62c2fbef2db75500e9a4edec1f7e909288e174865f688c18bb4a1657a8d0db07ec2e454d5bfeb60e74d53b2f0c0e28804ddf43fe2e5783b |
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2120 wrote to memory of 3064 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2120 wrote to memory of 3064 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2120 wrote to memory of 3064 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3064 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3064 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3064 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3064 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_shellshock.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_shellshock.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PC GSC\maps\mp\gametypes_zm\_shellshock.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 21e2a30b1c56dab851760969f256e99c |
| SHA1 | 5260fa8592da56ba6c3f1121fdf2c4d5abceda72 |
| SHA256 | c4321f52b080b008bf60a9c3981d20ad81c116f582fdfd89a5395ab7c41c5dfd |
| SHA512 | 7f62fb57b2d71859321ce2b8dbde443e8559dd38f83f3eeeeda825bf6821cfa8db6b8cccfd451efb1e652bd56b659757786916cca62711067d2fbc451c357469 |
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\PS3 Injector\XRPC.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Readme.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-18 02:38
Reported
2025-01-18 02:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 2788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2228 wrote to memory of 2788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2228 wrote to memory of 2788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2788 wrote to memory of 2500 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2788 wrote to memory of 2500 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2788 wrote to memory of 2500 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2788 wrote to memory of 2500 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Blood Theme\config.gsc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Blood Theme\config.gsc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Project Iconic V3\Themes\Blood Theme\config.gsc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ef57041f731de757cd544027ceeb4e99 |
| SHA1 | d7756bd49bd203a0b19dbbcc7865b723f2fbdf96 |
| SHA256 | 4573892172fe44c4ea07ab27dd31bd2b88d0da0dc2bbadaf6655ba99535d7023 |
| SHA512 | 006c30d2324dec3329c7e54be685ca68cefca26b398893567dedc06f250b46f8bff81348d0ce3fae248087f807b36a43c218f6186383e72193bef8473044bfff |