Analysis Overview
SHA256
eff1f6f484f1be9c5ba67dba64907ca90081414dd83453e3df8e8074f6f8ccd0
Threat Level: Likely benign
The file tma-latest-bepinex.zip was found to be: Likely benign.
Malicious Activity Summary
System Location Discovery: System Language Discovery
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tma-latest-bepinex.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1896 wrote to memory of 2320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1896 wrote to memory of 2320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1896 wrote to memory of 2320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2320 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2320 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2320 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2320 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | c7faa736a414cc7cfc86f38c176af0fb |
| SHA1 | cb0442a20297f3d91815e31315710a6b1fce1e40 |
| SHA256 | 3a09c530c2b5de9d8a2d8d63ef060b9d14f9e8b52f3260640a1d42701c0ace22 |
| SHA512 | 86a170903c191b53cba064183d4c3e6fab2abbf4b00a2b206f85a83e457f9e0c7863f7356511853e0301b1c5c5d5a3083838e783d1773bd25d45c57095d15872 |
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony20.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9869D01-DCF0-11EF-9FB8-523A95B0E536} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2abadddde466e4f9bd53201bd88377f000000000200000000001066000000010000200000007210e0abf8c795c8680454f5081eba3800727e0c251df63a7638484fd1854a7b000000000e800000000200002000000049f136c2f57ed410dd86668f0d861183d49453b24a2d26948e540373dcafc0d890000000df7d5d9b140c9807c80872938a7103c11e985370f97dc14bc4690462df6122edcc40e20eb84c627ddd03767221fbda28cfdac289a4249e8c02cb9c58951d33adffd1a647b9d0d8e89dc8359bde1c2f2855d5bf022f3bd5d4bc92c9fded1209cb480228dec18fce99635262e8d933ae169bd393542bc98a4ccde718081448f7695461fb92a30f9265ee1914e641084d9f400000004d4141cf3bcf812e5d0c38a619bbfc9cc63aeb16f1148b423409f9068222bf843cd116c68ac5fb1d257b1b6adeb8f7cd1ff7beb2f233cb7d8738986d8bfeef9f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2abadddde466e4f9bd53201bd88377f00000000020000000000106600000001000020000000f4989955e2f167fe8193031da6583d2dc4c17548311df5c1f1db16a7c13fb9c8000000000e8000000002000020000000ef7ea5a68674361f8b40052c32c10cd1e56be96cb87e06e7c797f64bc898b8b620000000ab351b5b1d3c9539e7270a083080e53f9341facd03d1d222ab6ab10a3eabd41240000000c4204a7822b9f70fbe5c17f4fe341952ceab745f03d5df4c8c4ac3dba725fd0db56728c3411d987b5f4dd3db693b2bc400c75ddec3fdd60990123d661906c5ff | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105f2b7efd70db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444173034" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabF94E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF9FE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a40de7c8f39f1637842268901ba985ba |
| SHA1 | 6c3f49b2406a71b2b52f83239870a28a1191c9b2 |
| SHA256 | d77b8cb4e9d8201e8bf688e2d9a4b5bd864314e551745d4e94bef854d6a9db11 |
| SHA512 | 74022c6fc0fe6d7bb2f53b463429a8e8f2c999efa1e262d47994a9a6668a4c9230bc66f4dca4b860444988a13f3a2e0191f0961e65055e086f8d38af27b44672 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98bdb8493fb60c41c5ae6d2223701a49 |
| SHA1 | 71488729e82d0d258d74354e13336a6e6a355149 |
| SHA256 | e7030fc4e60087ec99d3ac339b083da6e488b127208d7cd6d1b01b06eb0eeb07 |
| SHA512 | d131c429dbdc97a9793f736cf244149ef236e17371d318967db431edd14a7aca9996651370fbe02d62fa8a4f2d7ac7f671ff52a25085ea3f1578716f8c1f0036 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3e22aea7fa72d21a97cff6eca8d53e2 |
| SHA1 | cc9501da5f4ca3c62ce8b0749df2c72b65df8847 |
| SHA256 | f57290c25cd5829d6ea07835b632a7b2e621b7b71f88d78a700576257a5b6401 |
| SHA512 | a7f2c7b53767d3edc7f964b9fc5bba3a316ede32688ac95a4bc62b00ea7f109d8faa7ce84c7425584f56fa1aed8b193340130c975b57f68a4e673c2c8fc9b155 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a28cb68d993562bcaea0aa79fd36cce8 |
| SHA1 | 9ee14097eafb76f89b0fbd0e97451badb8d62dd5 |
| SHA256 | bf33560b9934968daa2c74f2531db1d4828e42c9c31f69e1d3a7ae49d2a99b2d |
| SHA512 | 95845578a97248090006167943b022af8675b9d7dd1e4acf14c5990c652955e1f0d28085106c21778a938128b889087347c97f8bde02183f0d0bdbb8624bbb55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65dcee0627a712e34d644c21e8dfadd6 |
| SHA1 | 4165098bce64e17f92da8f97a82d7cd13d266d79 |
| SHA256 | 534427916a26e705b9659ebe44b203b3bb62a7126011cba257ba6963fd5df9f1 |
| SHA512 | c0c6bad3c6fb727a17d82dcfa5dfe5fd29854b456bea7640aac72b1566f9824a19f0ecb724cb0b5e18a41a26871d3a1e37ee0c123eda065067793e40d5e48f83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9baf8caaef195849f63f91a4ca534de2 |
| SHA1 | 00b566813830bf57a1b92b92a14461f79fe8a243 |
| SHA256 | d983b1ed3220d3520df994beaeeb44a9a5b2b57de0bef9de7261d12b2beda0f6 |
| SHA512 | 598b7219dd29dacd2c92be3d6cdf23e58a625588ffa8883e56cfbc10fd877afb3e8b6414282be77781b9e07fe090ccf63f70ce319d823b3620ee4d15b38c3ce9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d03c4e902687490273bd4548b8f6f1e |
| SHA1 | b7043e507e3b45ea417fdcb0950c7b0a7cdb7d58 |
| SHA256 | 256d3816570153381c2a3e4fdecd649b5fc311443483b273d8be73725f5848e9 |
| SHA512 | e1ba6fbf1246554784d3486dc47f24985f27a3d0ad3cbf4715d09533258230b17a08f0ba8924e18fe858505cba6018df8477665e6e78c9bee04563bc7fb57c38 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d62fdd11f189c5b104ad83b3b062820 |
| SHA1 | 0716e27215d816295a5e8fa1b42ed2c39b53ad5e |
| SHA256 | 87fa65fd7e06f27218ef9d824d9d806601f2c875d30fb4f97afd0209e888600a |
| SHA512 | 7816345e81c54279e9d11fba12562ebdf5f97aae2bfbfc2bcb75096cda30e76fe132b9cc433a1381b24bcbf97c84f0dcd9547c86c007f9ecd14c206bba018cbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d67ff16c3b207304a68be197b89f258 |
| SHA1 | 792d410ee3ebf4c6fb5546a030075c147110fd74 |
| SHA256 | 9c90c16dee9830be774a6047df82f2c7d2c174a19f40478e077010d38c34c841 |
| SHA512 | 2a2d86332448d8ff22db8dd9c39f5502a245fea829e9cb9766acf1bc6202ebebac062c0e5abcd31e48909171448f65e8df364ade5ca62c19b13ed3267d70fe03 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f2a60c5249c85ea2f64cd4a43462ab7f |
| SHA1 | 80076954db491f1fe0a9dc20fa4c6d242b4d11a1 |
| SHA256 | b27925514866c320fa3ce37f16eaa628e19a4064af2b40a7be7d8b658221ed61 |
| SHA512 | c23edda435353ef17bf475681b87c27294aa3827a0994c2de90651cb1ce1a7c0cba94bcf3f73e0c35cc694b595a954634774d0e531aee97b70d9857f58782cf8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8be37d64cd4dcb49d19fa202b2d698ff |
| SHA1 | b1d9a5fbaa184df4b3dfd842744bd5523e51cb24 |
| SHA256 | 369180076f23cfdea42cfd35d2a1dffd74471fe377905e4eb86707b01fba12d4 |
| SHA512 | 7a9cb06171528ce9832ed50eb79fa2b51e9c99d8f32608589c4e703c167c0c97080b1cf7ddf0d5717b6128bc8700a7372df8a7dcf1dec4ad12259b419c58ae74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b01283017ad04b6381609e6423006c62 |
| SHA1 | 63bc4ccf4705a868f38f5c4f82569093b76abc8f |
| SHA256 | b6e2c5a62637da5430dfb9afcdbb872bdcd94da5ad9fff0ace2554690b26e2f1 |
| SHA512 | 2cb5ef1332b1692be6b796e26ae7450c1e4908b44fadd217a5edad6f341cb326dc8453054d36c34d2940f06f95d39e6b7018190614bc140194aecaa29ea72359 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43a7dbebe39921b9d8b2aa6377bf658f |
| SHA1 | eb0855bcba28e51a18a034e0336b3a50ca038cfd |
| SHA256 | 85b2a0c7073ee9b225ab615eebed4c8a245cac2432d3aadc4cf7ca5ed24c6df3 |
| SHA512 | 49b55f0e2fdbc47cf4ba68a604adb4138643b81a97cde8ee6d66c76b7c3aa2adca0e413c85fe09a2fcff005b76fc7da4c2c042730ef99a2be19860ed60235c7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 25c0809abbe187bc990629e702da313c |
| SHA1 | 651b29eb9ae569053204b7e0c26b9ab81be8e215 |
| SHA256 | 5331e214449825fb07299a01ffa952e609cfdca89eb69175a569243d15b5b92e |
| SHA512 | 3e00360ac9bbff745716ca7f7d75ab80cecbb2ae184064a7fb84309b2324054c00012a2702f3ed656c5983177634a2f992eb2569b6105468031d8feb7ba998c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3291c4aeda44fec904030e1446b261b3 |
| SHA1 | cafb9cc2e302726526c59c48e1e0c15a7be44c1c |
| SHA256 | 9b8ca1c8918bccfcc170c890ceb17854a917545f35a7f41034c0e5f24e3a88f5 |
| SHA512 | 4687eb4d45eff479d3f0c4e21ec121864acc1e8056bd24d0fb7bc03600c4b889549baae47c8a59e4862eb8dbd31bf01755017db26b44bb762d9c954631b4c169 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e32f2491b2b0cec643bbbf9e17a57a1f |
| SHA1 | 18beac6fb711a1d8f1bb315edb601fa5940d0776 |
| SHA256 | dc8c4bb205fb6a64b69cb41c8455b1805e67983c2e8397045a65ca017b8f4234 |
| SHA512 | 8029758d2f6559a1d55e782060f47c13bcefec662dc0e344d22d364c48b1f57e9d37d036b0e622b021abbb9bd07cc10746cae5ac2f50f932625d46dc67ed8d83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc58c76dbaa3fc3f97553c3232e55376 |
| SHA1 | 6fb8143dba970c7febb941c0234e22a385ece38b |
| SHA256 | 35918f1f3b012fd58f2c12f6127d00826662a35f5ca2c4b3b7739a8040614438 |
| SHA512 | 7cc812ce6c4de9d5e8b952f7ad1326baf8d46cfeed96667c8f286a6a91e4c7c966a1d341adc6068623d531310c232233c3f974b913014779ff756c342302b957 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cd9261241ec447044e102ed5b090353 |
| SHA1 | 38636697997ea0271b4880eedb67c2d9b38d4f80 |
| SHA256 | 43ccfdc772245b649251b66ede5633bb62c79e5e13ed5aad41f99a71fbf534a3 |
| SHA512 | 771d2b7c8d7f2d7c4e195dc5e4d7843cad58c84aed3e8ddc516dab8b72b5ec01ece8fbac47e59b9c9faa2a45856f5d5d6efa80737a6406125f3646c005c7bfe8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 329f5e16946babdcb2c1283b74eaffbc |
| SHA1 | dcecbeba470a896f19ac7e2c70341df25b4b9aca |
| SHA256 | 1a3cfa0494f51ac11488ecb273c5b6a03754d27d6188ceb3638beef60da161b1 |
| SHA512 | a9e5585745fd24eebb76701b5cd7587f6e37a75d595331020f0b9349c3faa4b3dda72231cdf9679718f84200dcc7a3dfce0cf5f77feae21694ad5761730bd2fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57fe100e29f0565059560d458f4746db |
| SHA1 | 92b2e4c081e6fec4537ffaeb2563e4a01753ebe2 |
| SHA256 | f03e99f0b120704e9146beebb6d40b2b1121a0464d254e35443ebccc12cc2097 |
| SHA512 | 9e7567609142074791bea7d1a06057ffb0ea4705d0cf59a4b0274af6bdb404e81d316a89cca87bba2fb20e50c7b7791108e5cd799d8a52a58800e465e1abfcfd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 644708a06670379fca33abe65825bb37 |
| SHA1 | a1f5a7cdc7b83c4bf3be33d72d4e814226d41b84 |
| SHA256 | 555b0918645c77da6a9f66e007f5c23fd95feba1215dfcad854de3cb8b67b389 |
| SHA512 | 302a8095d8d757b1711893f7a87d8e3bd50ea940dbc11a12055bf528a66b3d2be967b92cb06db5838a3ed0fa43da21532793748f76063f1a5479d30ef027761f |
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9780E71-DCF0-11EF-8C40-E67A421F41DB} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40880e7efd70db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001527c96f3279b141918164042519387100000000020000000000106600000001000020000000ab951308ef6e72a0aef37ec09c402a61da441bc5722beed7a9dc156755aeae9c000000000e80000000020000200000004bda384e60cbdc741016fca06e4f4cca1ccc77e1ca5f738badb8dea042a1e927200000006ffd453989b959991bf9fe035ddfbc416fcfe45a3f70e57cbe090b4e2829135f40000000630e829c5915b7c357651ba43165605de9eea7de125a4de2f9cc799f4196f35b29229d61475cfa6cf5027ea43f65a31ceae2bacb5cea85bec9db953b10d6897b | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001527c96f3279b141918164042519387100000000020000000000106600000001000020000000e61468f1a99261746f9717de3a67c215e6e4d91ee3fdad1652249326ff7cc30a000000000e80000000020000200000007ae30844bc539b8cd8ea63768a4046cba4ede19225ca5fadada3f8f8b2875bf990000000418e3e85e52280bbf1f72005c199c61e75284e9fc22f8a9dab223e6ad07883d49bee0b6d3f1f218fdf41018e06e6527b8c6b27691fba69c39589f1bccf75815d1142e6bbac5606969f23515be672dab96bd680f63cd52c9038ff128b5314e6563b7e881765105b79ecac8390b7394f82363f6c1086a2ad4b4193f8f0202e76e0e88b168df22a3fb49bb6fb9a459131b1400000004fb7af32cfb071fa93ff28bd401f6c91e37de9115ef6c83fa4fc8bf40f116ad38800c9c9c6c55b85ab62b02753fa48aa1c1eb6e2d551ea067e4aa511cec49863 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444173034" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabB6B5.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB754.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a72cceb40653edee9577e2b245395b1 |
| SHA1 | 9647ea97b23d206d3e411613687cf561a2c5a0ce |
| SHA256 | f6574a52ea02ea7cced4721ee823943db0eefefd4074030671100a88c4a44020 |
| SHA512 | 824a0e09dd11a5465fe5eb4d3caf60b49ab5a09d9cda9fc096d2b31da179a5ac5fb5c2c63174e973b60cd016810fd4a9a68681717c031c25c99133f3719ceb7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d325770b67f8a578ef63d59e9ec9fa23 |
| SHA1 | ad81a2849400a7bb34989c7eb95e1cf0fd1ac2a8 |
| SHA256 | 1911e90f054eba4210d6463dd0cb02b641458301873a0980f537e46150f12d22 |
| SHA512 | c00ef1f22f019107a38cc221b1b1642579ae49bbdc32e1871fcc40b7d25d297fbfdd22102beb2d363eba48e9125866ecfebd7e373db1d26796a1fb2201f02300 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60806ad5b7d80df193654ae4c7a249e2 |
| SHA1 | a2c33ce9dd4c0ba441390018d9fe852ffa0a3a4c |
| SHA256 | 297f3672dd2267c202a93d29a5ac6478edb3c51a2a34642622829045e7eaebd4 |
| SHA512 | 3f13f8a98b997abf29168a8d034ac3cd7ed301ac1d95a30f6235f0ccff817fde4d19b3c47e08fd0a44f33efedaffdaa66690085b1af2936ec9aeb1eac9871b45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eee847bb987f2ee90b394b2d33c3221c |
| SHA1 | ce5ad63a1e77067d045c8226db7eedc14c83cec6 |
| SHA256 | 4aaa13c552df6621b4b728e46d0e7ebcb018bf83a4685d40ee64ca1ed2b81454 |
| SHA512 | 48d8f536a932b46e509ec92e186d8724acdf70edea65aeefd7d339c20007b981147300914f29c6def98c1763c92a6260f8639a91fc00ddd09326b6b606562a79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 655e1fc0c8279fd6a78069ba1b6a589d |
| SHA1 | 684b3bdfbe2ddc13686954798b34925503ed9cfa |
| SHA256 | 999fadfa9e9c95f6911e567a7044e9f9efa277073cc40b4a28af8931527a6e4d |
| SHA512 | 3e906969b3cad201aae876095c32177bfa24f51c1585eeaf06c383c27af7c075b89ab42d6bda2a43820e5d3d927d05bb0701498c4db2d47b4a39ff865c50f83a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1935efee944711cedf869320d233b7b4 |
| SHA1 | 2e71ef13990f1c98e32c19b2e176e85138d21e23 |
| SHA256 | 009687265c6f0e6f9b6d1fdc51f0995612414a9d9beb861ae7662d558fd592ff |
| SHA512 | eb71798743daf89d54ac19a50f549cf5f6cf62497203e139a32bd3a73d63371819d0d111403e957d51c47c89c6b289769060b402e3817abee953ca82c6630bf8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc95ad0c74b2ef8d146c045ff4d79e91 |
| SHA1 | 169724743f802f35152c64d9ef4db12769c18f9c |
| SHA256 | 8eedf347882db48a51f07e199b995754f767797d6b615a3d3042c33e20c7fde7 |
| SHA512 | 77e8f7355f2e2698f94d16cd0b3e53eb5b1a4b4da9f376484c33d8a5f3c0aaf8b31023a767acab1e02b475d25bb542c341c2ffc022aba20ff749a70716b9060f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40d92bfc1b044bd91f5b6858503de671 |
| SHA1 | a48247d49928144f4b0d099e201941963945fb2c |
| SHA256 | b220e1c032e351a85ea960d491a2e02155eaf7ccbea25d5fc0a89f29910be42b |
| SHA512 | 9b472c3e80a6f1a5b7ac87d6a847e12fcaf62eb4d02ac687f76e3ec5b792974ede772b209907e9bd10efb6fab8a542bfa5cfc13280eb56b91289e8d260d1676b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f9b97e3e9b0a2ded9e67dffc1b2e934 |
| SHA1 | 15a36da4748cf14101f3c6dab0e8fab94e216ddb |
| SHA256 | c9653ba22062244357476437385c89326b388f93fd29736f2c66d9f14eb2fbc4 |
| SHA512 | 7b5893797a75b8a2cd5fb71021b03fb06cf93590ab35fc658b781c4d43e81a18d62997628f3ebc592e9bf5ecca4eb9af1a04d0ce6d1634f2b96506331e13ef1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4102dbfdc2cb020109896490fff99e4 |
| SHA1 | 1e811c388b2e2934352d7e927a066b877573371a |
| SHA256 | b28800ced29c6b9c476d35a95dd5b43ed29efcd73a28c994e9e9f19a1c61569c |
| SHA512 | f7ceae047138ee51ff937f255788953309727d15d2b2dad87d74d45b1aa2a4c3905bf24c191d15282a4418ff127e1be4313269e0e392c00e289295e03279a0fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0e169edec9a575e826d12402d6be719 |
| SHA1 | a9bdea09012b3a19eb9b5bcd8a9a05d434d8b1e3 |
| SHA256 | 3c2a90559fafd2bb70befabadd4669ca15bdbaddc576721a98df16866bc2503e |
| SHA512 | b19069de83ca9555eb476eb2fe006e4db6fb570b9b44dc4d5dac37146caee8ff9846966993b1b55a9213783ef0dde912f88c3076963aba5d4720c73e298e1dc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e86c503cca765144d4aadadd2bfa3b4e |
| SHA1 | 46a1e6ae3763eb5e47b306bcac01656bbf57a747 |
| SHA256 | ae434340f7ef7c0620019c698f22cd7041f36d6ac6bbeaea2f06ddf1b0f4e0f7 |
| SHA512 | 3fd2bc386bfea2565420093e5a925ba12923b418bf6521d744ff0371f9d993285522bacdf17e1bf9e56f0265727570aaa4ca85e6dfc418da0ff49283f1e51c87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2e962cc484556a5f3826dda50b43628 |
| SHA1 | 37c439ea05ae8d8e3510fba0e48d4da7edac04e8 |
| SHA256 | b0e4bde4c17b7c3ab340847d0b1923b84db8b364b4f663f8653493d0798dcc39 |
| SHA512 | 1b269c9843320f453e05a6e5f930a09a93373e6fb594fc28a0989028692411e442beb822f0859b0770af49d5f8894cb670c8ddc5aada0a085ffc171b334e17dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c493cc1a2a5205a383b9ed839d9bd40f |
| SHA1 | 9fc32e11469fb47a290a96d27be14ea3a4aaa7e1 |
| SHA256 | 798212c6db0a8532030d260c1501c9a2f2a4622029d9ccb90abadba35fdf3da0 |
| SHA512 | 95391de88f63a80a53c543ec374c3a98b2c028ac37374087509d4bfac1a4bf447faa07c90d35eef8db0c18f5a914742d6d67b9f8322c60d0de2742ebb3c7dd8b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cc39240662755a661d1af2bdcbcc001 |
| SHA1 | 55e912291202db6e260c42d64b9d0d9344420a2d |
| SHA256 | 1ada55ca0ea7ce3a6a26cc64d33733b360c0d90741c81c0ba35c0a0a94667510 |
| SHA512 | 394db817c491eed90911f86394c64036262cec48867682d7a970753b27cae921615247f430e488a5f39de5c1cf006a4fb431be23d239eab401941f8191d70e15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b6ba6d1858e9a5c70e0a47d24a9cfd0 |
| SHA1 | 43a7d377727057ffaa3a0fd12ede45a2bfccdc2c |
| SHA256 | d74e4c1e1f0df6cb468a639287db7080c1710e2061502d73a642cb139cf91668 |
| SHA512 | 211867ef3702927f5380c9f56d39a1e308fd4d06b012080d86cf1cf22eeb01d895ad3f268503b8b1583a975731c392826929ca2303ebca738ceef6573e6ff414 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a5e0c0888640655568264cca9cb6a30 |
| SHA1 | 0d3e5a3e2f5787eb693053fd7391a109b6b227f8 |
| SHA256 | 26ab9691c88d579c1aa323b032deef89db64d71eec9eea0ad85acb1f21ba3907 |
| SHA512 | e50ed73541afb76e60bcd5c8c575c40b290c5f8c15cf7673fcaa0f5847cc622097ddc0f629d81459ac4b71906daed35e75f656e8c94e8a25cd70626ed06523c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c747b87f7bd1a8cb095fb364284e3f01 |
| SHA1 | e0a433c6472465a2b38aa9f9af1df58a274ad15e |
| SHA256 | 02ff7bdd89a31e2d8aed8c649c7f8bf27683aad5cc41809e109511950ff69bb3 |
| SHA512 | b39c2e38d0a53ea3501330421b67a029e6adff8aa0777fbabf759df05103be99e00cecef95140b03c22f6607fe811b94227212f0f035941f115e0f48413946be |
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tma-latest-bepinex.zip
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\.doorstop_version
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
143s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
141s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20241010-en
Max time kernel
64s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240729-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2500 wrote to memory of 2212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2500 wrote to memory of 2212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2500 wrote to memory of 2212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2212 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2212 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2212 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2212 wrote to memory of 2780 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8b75246c3ab4056563293975835432b2 |
| SHA1 | f527c590bef8bcf810db6e5f84a6a488ee2841b3 |
| SHA256 | 3f3231d2be29698ced7dda51a72e1b8ed9483bdc984bb3fb44d16ef9be2e680a |
| SHA512 | be594d1131152db7a4398c8db0ef45c5613c84e8cf7c7d0d61eaabb7890217be9478d3497e6e3b64ea3eac7443caa472ef774bd9f9c75bada8748a67cdf92ffe |
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240729-en
Max time kernel
94s
Max time network
16s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
138s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4188-0-0x00007FFB113CD000-0x00007FFB113CE000-memory.dmp
memory/4188-1-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp
memory/4188-2-0x00007FFB11330000-0x00007FFB11525000-memory.dmp
memory/4188-3-0x00007FFB11330000-0x00007FFB11525000-memory.dmp
memory/4188-4-0x00007FFB11330000-0x00007FFB11525000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20241023-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\Mono.Cecil.Mdb.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:53
Platform
win7-20240903-en
Max time kernel
47s
Max time network
16s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 2824 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2520 wrote to memory of 2824 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2520 wrote to memory of 2824 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2824 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2824 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2824 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2824 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0969e7ca09b1d56b2790231d51a7347c |
| SHA1 | 52c718e6dc70711805bc00a0fe5dc5f74fd512f4 |
| SHA256 | 0a9c065b7e63306bfcf5e2f68c4843b2de5367fc77fcec8d6906f37db01bb361 |
| SHA512 | 05d824775c2995f8950163ddf8d39bb868b9c5b633e6efaa5e0410b150f2d0b2ae249163b19b42bbc07b6eeddfb0b3e02262dda0c7a6ebca936634b0c3234a13 |
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\HarmonyXInterop.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\Mono.Cecil.Mdb.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony20.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
141s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.153.16.2.in-addr.arpa | udp |
Files
memory/3940-1-0x00007FFE2AA4D000-0x00007FFE2AA4E000-memory.dmp
memory/3940-0-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp
memory/3940-2-0x00007FFE2A9B0000-0x00007FFE2ABA5000-memory.dmp
memory/3940-3-0x00007FFE2A9B0000-0x00007FFE2ABA5000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\HarmonyXInterop.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 2428 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 2428 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 2428 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2428 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2428 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2428 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2428 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\.doorstop_version
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\.doorstop_version
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\.doorstop_version"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ed3f08d40043cd790176fa96b5771e89 |
| SHA1 | b7ceb35786cb89916564ca8b7c6824710709ff6d |
| SHA256 | 9267f9181cf2495554f282894114585b863650ec9490f3bb232374d89e06ab74 |
| SHA512 | 7a46f13e353b93fa45422056701e68b816896f071da90eddfaecf8760a9ba308cbebc76ae1ea7dd6eed03c0ab42f61c2584336bac55d1c95f7b354c1ac9cf601 |
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:56
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3924-1-0x00007FF9B3B0D000-0x00007FF9B3B0E000-memory.dmp
memory/3924-0-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp
memory/3924-2-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp
memory/3924-3-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp
memory/3924-4-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:55
Platform
win7-20240903-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A8ED6A41-DCF0-11EF-90A9-D60C98DC526F} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905e7a7dfd70db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2e33e6ffabccd47b5f3bc0308b7145900000000020000000000106600000001000020000000950b9face3a4fd8dbc11528734cf4f4fef3194858de410911b75ce2c8a91070b000000000e800000000200002000000024758fe5c50d93c7027c5a15af5025157e137f853cc9b06af7867f075b5d87cd9000000061f165bea80649881bc8a418c110ded2d6208a379260ffde12cb05f4b10be13af30d06d27d93510639395b348b3258e51fccbdf20520b63f3a530d976d023e85048661a0f350c9d9305a714921f18d00771a4c38a8f4a132699a5ac58b5d6656d055d68f964c807def3dc12d29f5c7de31fe01e59edd9c6e96ce497d9684b7384ed010b3960ebaf5d368346ce74308f840000000b9bdc17c6ab88d33c376e721c6a62880cfe461bf80f21724690390824337a7d313389e1c739d4e04cf8ff13081feb9cc11e49592626401675c46848cab73bd90 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2e33e6ffabccd47b5f3bc0308b7145900000000020000000000106600000001000020000000ee0ac79979a9d65aa64cdd3399243a085325d023326b2fd29930dae29ce5c518000000000e80000000020000200000003edf2ffeed563d2c469ba18fa92722858ee19d71db87b8c6a21c130e3ace854120000000350a156b1318614a948c487b81fa0ba0615dc793c94a0f042df0ac92c36a1021400000000d0b1e7f1802190bf812ac88cd96008aa98c1b99fd6f9b16e22444e285259318b3c288af97d299b3744036b7b9300a80f7a06278e5f252239d16da808d8975a1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444173033" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1548.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar15B8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09685b8933071fab0b19f8d1116be355 |
| SHA1 | b6038b47180bcd2c29dcd244564a9d2b553a3eab |
| SHA256 | 45a5e116fdaac96988e4faf43d289bb7e0c97f179898784baf5a11f5edb41fa8 |
| SHA512 | f3f7ac78f13e6f86d0fd2f56104aaacf370a0f33bac1937d957d54424e57b231d90b4202c4e681626c3b5b34e48ff702608e3d827f7edeee5cd8b816b2280eaf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97c174ef40fafbfeb94c32663b78ebab |
| SHA1 | 1a54441f22a838137dbfc87b06d41fead5fe8c88 |
| SHA256 | e248204a8541a1b4f2d20bdbc532b51b4409ddff07d8270257db6e551de8f4b3 |
| SHA512 | e173b21c13479511fb09b4a2296927389d6bcdca2b10672ba000e55cabc01d9c0f58dc8fdfc3aa8559be5a73fe26d4ee7204a34f4606882acabb1966e43e79b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1ef2350a8cc70dbfce586d503d8d41ed |
| SHA1 | 2c5a1ad16d853993f2a50b9b1aa1b108a3fd2701 |
| SHA256 | fdb2ef0a4114e2ebe3284dd4720b6cb473a2956647bdc52468c17b818c66afa5 |
| SHA512 | 1f0b8dc9a65963727a79d9cf2ec0fd76088815e14acb20ab028c1ced744bc71ab2b9a120f4eebbc620bb5b6c228e7d23de4507c87140b35af573a8bc6dd2063a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ba725646e8b83ab0a8232b3e7ce0797 |
| SHA1 | 3ffacc3cb4156b147063a5d5cc9f847c0b093886 |
| SHA256 | 9f1a1319b9c7b7d54c5531bdb822eee344d0e81966b96fee0800712e0e6a501d |
| SHA512 | d477a6420663b8fd72242d052c098da65f9432e72bcc77d187ac0b6cbd52b53f0d99f1a1469fc16c87eb0a60e4a9f8fb53bbd7b0aa1f3d0a6a7dbfead7f0d19b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 053a13562b64756dbb802f87f691b2ea |
| SHA1 | 4fe90e6bcf91a32d2fd34c2dfc195f9904b4cdf9 |
| SHA256 | 05b8b901f9de95d406b26c163a7ffc267f70fff0b1af5a97ad1dd1450980571d |
| SHA512 | e2a22d6840db250efdc28a30cc71dd4bc51f320c185cf180dbfb4aa903e8832f1c01b6d87995bf8183d36ae8020ae9aaf093d4562292e128158c8c36a8cae69e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1170805489939a8f10f3ac84bad63b7f |
| SHA1 | 1488fb34dd8464182e32af59c8ea55ebed245456 |
| SHA256 | b2a97372e6a04a1b63885d03630e7d0c73c491a958775a10a495c4834148c704 |
| SHA512 | d0009a122c0a04c1180df86e9264fcebc1efd172866c85328c675e9ce8a8bf53801b8ddc866c48bc0987f7b11314421acde094d4259c6637951b38a94272663e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c11ba700c8accaa190f7c8ecac2ea74 |
| SHA1 | 861425257f6b3b89af9587aab4fc6755e806fe40 |
| SHA256 | 51ffc8f1cc527559b83323b73c4be5e98b88e54a04316a5b28cede7598060b83 |
| SHA512 | ef7b0f698fb9d0f61d516f14f12ba7baba4be1f63ce96792e10058ba52aa5dfc593bca9548df479d6e22b45f9a62f6bf08cb8d7cfbf3c871b4b9bf36d4980aa3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 758115b56212a2b5d8bb8574cd451f59 |
| SHA1 | f7036f717c78ec8dd7a78263cb390cefa56aaff3 |
| SHA256 | 7cf017cb96b056312c74f80afa5fbc293a4d3b9efc26a98405d218e932be98f1 |
| SHA512 | 05ebacc305b893962ad40f4e8bcc6ff64000eec0bc020b22d18d7eed20dad05be13512b417739836882ee110f67817523d716b5a4c9ccc3b36ccf03569e1c6c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 901cb84285cbd15ee832ed0d1a978a7a |
| SHA1 | c2182b38dea2a040196edfd2d06b387a64c2f8a9 |
| SHA256 | 51b117bafdd93084cd43b2a07bd595b6ed8a6aadc5dea136ef5141c5fdb24023 |
| SHA512 | a94bfff52e129dcdaeb52394e7938f8712cad9fb57d2a6784a56e6917de221257d326e06110a78ae4fff2e4a1eb6432f539042726e2ce8fbb5e2299a8037b26f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1ea0d1734693bcd7313aabc19acc491 |
| SHA1 | 8de986102c11e5749048218593fc99addc23315f |
| SHA256 | 2ce81bb98e484c9233697a379ea256f5ec2bc7a94777a6896f3f04c1dd1101a7 |
| SHA512 | 0219ee78ff46cf1c71a77d6d653b64374f2ca5aa80e8303095ae0b2896f6d685b5b23e4ebda340cdc158153560e3b542b0daba563e644f812e40dd16a3965776 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 038383d1e07faed2074600de7ea2cda6 |
| SHA1 | 731ee17abc9048cd26485f0be142575677f069ff |
| SHA256 | f6469d0b3d3c9ba8d0ce0fd0d2bf6e3989eac74f13c7b6e220673ad24599fe26 |
| SHA512 | dd04fd67cb70a8cd56416d663015e2e2e83d8d697829b12748eb8dee1dea0c41e8e48c7314cdd353038bb618cfaf33e416114433ed330fd5106ad2704dbfe54e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c3e0014b99db3e97b3e19b4e6c40118 |
| SHA1 | 508218da82a7c74f377d27c46ae3458d3bd7d8c7 |
| SHA256 | 16ec101101599099b8f94cc71fb814d30f793bc42fb33e2d93a4061b6b336b82 |
| SHA512 | 48f51600a690e85452a952536998878ba319e52686beed02adb91423d91b84e813ab7a0b86238a45b267446a7e68db38d72062e64b910d911b130c1f79a7ba3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9684845221c3671a56be1e19c1cd164 |
| SHA1 | 0aec0dd260a9822e88bc6c9cabecd0b3e50534a3 |
| SHA256 | 52b6577096eae10a87ee0454b2fa3d23566dc12ce942240d9798c75448acf0f8 |
| SHA512 | 4686afa42212c4072f8828536ef555e4577bb675d53ca0fbb8080589f9f017582a6549de8a9d8226196134f298f83cf7616763cff349ebbe022f0d76cc2bee8a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e778512580218a3360e6d96ac020e514 |
| SHA1 | 02f8391f4ab28a61a643964c57150debe0f87eb0 |
| SHA256 | de80e8c0f2b36e2908bdca7aad6aa74869f86e16c6c114c761c541c26726c81c |
| SHA512 | 5e53ae74ef283498ce878c908f67c2236dc7821e6eb53e4f9a6d39e1693deb4f19834d5566f99c8064840c8b691d16fa357888ceed2a2df745a1db6a5c609ec8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37c6020cf96382c38adfad47133adbd8 |
| SHA1 | f4a435dccdf2309205b1659adb60a8549da2f6b2 |
| SHA256 | c3f9b243b1aeb3fa18d88002504c31b6439df59b7743b77abf7d210591d2d592 |
| SHA512 | 2fc9fa299870df1e99182c05085a7ff3555f507550c7ad81b01cc87dd11623998a42aa2fc0f46610603486d5e2ed0f4ef56de7eaddde841913d0e6676ad0545e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e4aad5a00bad6730ffc23dafc02bbe0 |
| SHA1 | 3faabc5a246aaa79ff0f22e7ea9a6f3eebeb2feb |
| SHA256 | 754e202fc5002195b44ece8459832a6745072d65c2e39e78d019ad4681d95b46 |
| SHA512 | 868caff1a96febd853fa6aebf6d887ae0bcc6e0190fd83c5b1cd43b43b81351ca9a0a927df56abcb541fee3b0f4f12b0415bbb717ced21dfb4659c355e889691 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54b9f9b8ef8f492a2e5d6baf6bb9a0fc |
| SHA1 | 26ef5a1be13419403a259b0c57e6e69df428eb95 |
| SHA256 | 06b03148a4431f25e34c37f0c05ff493a46f45ad08d0ab0366eb7e0bdc1b43e3 |
| SHA512 | 77247e5931d2e615d04526c6756b426a9aadcd95d112dc8ecbe0e40619e35f19211cf12978fe28dbc80edf102c7973b606ccf8aed8a9f2f948af3148bd16176e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23da9457c70090a14764bf062bd7f842 |
| SHA1 | ef24b0a59cf6a42eec8b60433a62c612d7d9082e |
| SHA256 | b78dbffe9ee9748215a51689f1728e9ae42dec75e5e310af1803213cd1b82d99 |
| SHA512 | b001988c20475b5ec1ffa24003dddb6f0eceb1694a95bf07563128811657e864b73719bf2c2f60471b8a3256fa52edf53205910f90b1066b2eacd8ebd236e560 |