Malware Analysis Report

2025-08-10 22:41

Sample ID 250127-zngzqawjbn
Target tma-latest-bepinex.zip
SHA256 eff1f6f484f1be9c5ba67dba64907ca90081414dd83453e3df8e8074f6f8ccd0
Tags
discovery execution
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

eff1f6f484f1be9c5ba67dba64907ca90081414dd83453e3df8e8074f6f8ccd0

Threat Level: Likely benign

The file tma-latest-bepinex.zip was found to be: Likely benign.

Malicious Activity Summary

discovery execution

System Location Discovery: System Language Discovery

Unsigned PE

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tma-latest-bepinex.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tma-latest-bepinex.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c7faa736a414cc7cfc86f38c176af0fb
SHA1 cb0442a20297f3d91815e31315710a6b1fce1e40
SHA256 3a09c530c2b5de9d8a2d8d63ef060b9d14f9e8b52f3260640a1d42701c0ace22
SHA512 86a170903c191b53cba064183d4c3e6fab2abbf4b00a2b206f85a83e457f9e0c7863f7356511853e0301b1c5c5d5a3083838e783d1773bd25d45c57095d15872

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony20.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony20.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9869D01-DCF0-11EF-9FB8-523A95B0E536} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2abadddde466e4f9bd53201bd88377f000000000200000000001066000000010000200000007210e0abf8c795c8680454f5081eba3800727e0c251df63a7638484fd1854a7b000000000e800000000200002000000049f136c2f57ed410dd86668f0d861183d49453b24a2d26948e540373dcafc0d890000000df7d5d9b140c9807c80872938a7103c11e985370f97dc14bc4690462df6122edcc40e20eb84c627ddd03767221fbda28cfdac289a4249e8c02cb9c58951d33adffd1a647b9d0d8e89dc8359bde1c2f2855d5bf022f3bd5d4bc92c9fded1209cb480228dec18fce99635262e8d933ae169bd393542bc98a4ccde718081448f7695461fb92a30f9265ee1914e641084d9f400000004d4141cf3bcf812e5d0c38a619bbfc9cc63aeb16f1148b423409f9068222bf843cd116c68ac5fb1d257b1b6adeb8f7cd1ff7beb2f233cb7d8738986d8bfeef9f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2abadddde466e4f9bd53201bd88377f00000000020000000000106600000001000020000000f4989955e2f167fe8193031da6583d2dc4c17548311df5c1f1db16a7c13fb9c8000000000e8000000002000020000000ef7ea5a68674361f8b40052c32c10cd1e56be96cb87e06e7c797f64bc898b8b620000000ab351b5b1d3c9539e7270a083080e53f9341facd03d1d222ab6ab10a3eabd41240000000c4204a7822b9f70fbe5c17f4fe341952ceab745f03d5df4c8c4ac3dba725fd0db56728c3411d987b5f4dd3db693b2bc400c75ddec3fdd60990123d661906c5ff C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105f2b7efd70db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444173034" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2988 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2988 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2988 wrote to memory of 2412 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2412 wrote to memory of 2372 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 2372 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 2372 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 2372 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2372 wrote to memory of 1864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2372 wrote to memory of 1864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2372 wrote to memory of 1864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2372 wrote to memory of 1864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF94E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF9FE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a40de7c8f39f1637842268901ba985ba
SHA1 6c3f49b2406a71b2b52f83239870a28a1191c9b2
SHA256 d77b8cb4e9d8201e8bf688e2d9a4b5bd864314e551745d4e94bef854d6a9db11
SHA512 74022c6fc0fe6d7bb2f53b463429a8e8f2c999efa1e262d47994a9a6668a4c9230bc66f4dca4b860444988a13f3a2e0191f0961e65055e086f8d38af27b44672

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98bdb8493fb60c41c5ae6d2223701a49
SHA1 71488729e82d0d258d74354e13336a6e6a355149
SHA256 e7030fc4e60087ec99d3ac339b083da6e488b127208d7cd6d1b01b06eb0eeb07
SHA512 d131c429dbdc97a9793f736cf244149ef236e17371d318967db431edd14a7aca9996651370fbe02d62fa8a4f2d7ac7f671ff52a25085ea3f1578716f8c1f0036

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3e22aea7fa72d21a97cff6eca8d53e2
SHA1 cc9501da5f4ca3c62ce8b0749df2c72b65df8847
SHA256 f57290c25cd5829d6ea07835b632a7b2e621b7b71f88d78a700576257a5b6401
SHA512 a7f2c7b53767d3edc7f964b9fc5bba3a316ede32688ac95a4bc62b00ea7f109d8faa7ce84c7425584f56fa1aed8b193340130c975b57f68a4e673c2c8fc9b155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a28cb68d993562bcaea0aa79fd36cce8
SHA1 9ee14097eafb76f89b0fbd0e97451badb8d62dd5
SHA256 bf33560b9934968daa2c74f2531db1d4828e42c9c31f69e1d3a7ae49d2a99b2d
SHA512 95845578a97248090006167943b022af8675b9d7dd1e4acf14c5990c652955e1f0d28085106c21778a938128b889087347c97f8bde02183f0d0bdbb8624bbb55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65dcee0627a712e34d644c21e8dfadd6
SHA1 4165098bce64e17f92da8f97a82d7cd13d266d79
SHA256 534427916a26e705b9659ebe44b203b3bb62a7126011cba257ba6963fd5df9f1
SHA512 c0c6bad3c6fb727a17d82dcfa5dfe5fd29854b456bea7640aac72b1566f9824a19f0ecb724cb0b5e18a41a26871d3a1e37ee0c123eda065067793e40d5e48f83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9baf8caaef195849f63f91a4ca534de2
SHA1 00b566813830bf57a1b92b92a14461f79fe8a243
SHA256 d983b1ed3220d3520df994beaeeb44a9a5b2b57de0bef9de7261d12b2beda0f6
SHA512 598b7219dd29dacd2c92be3d6cdf23e58a625588ffa8883e56cfbc10fd877afb3e8b6414282be77781b9e07fe090ccf63f70ce319d823b3620ee4d15b38c3ce9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d03c4e902687490273bd4548b8f6f1e
SHA1 b7043e507e3b45ea417fdcb0950c7b0a7cdb7d58
SHA256 256d3816570153381c2a3e4fdecd649b5fc311443483b273d8be73725f5848e9
SHA512 e1ba6fbf1246554784d3486dc47f24985f27a3d0ad3cbf4715d09533258230b17a08f0ba8924e18fe858505cba6018df8477665e6e78c9bee04563bc7fb57c38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d62fdd11f189c5b104ad83b3b062820
SHA1 0716e27215d816295a5e8fa1b42ed2c39b53ad5e
SHA256 87fa65fd7e06f27218ef9d824d9d806601f2c875d30fb4f97afd0209e888600a
SHA512 7816345e81c54279e9d11fba12562ebdf5f97aae2bfbfc2bcb75096cda30e76fe132b9cc433a1381b24bcbf97c84f0dcd9547c86c007f9ecd14c206bba018cbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d67ff16c3b207304a68be197b89f258
SHA1 792d410ee3ebf4c6fb5546a030075c147110fd74
SHA256 9c90c16dee9830be774a6047df82f2c7d2c174a19f40478e077010d38c34c841
SHA512 2a2d86332448d8ff22db8dd9c39f5502a245fea829e9cb9766acf1bc6202ebebac062c0e5abcd31e48909171448f65e8df364ade5ca62c19b13ed3267d70fe03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2a60c5249c85ea2f64cd4a43462ab7f
SHA1 80076954db491f1fe0a9dc20fa4c6d242b4d11a1
SHA256 b27925514866c320fa3ce37f16eaa628e19a4064af2b40a7be7d8b658221ed61
SHA512 c23edda435353ef17bf475681b87c27294aa3827a0994c2de90651cb1ce1a7c0cba94bcf3f73e0c35cc694b595a954634774d0e531aee97b70d9857f58782cf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8be37d64cd4dcb49d19fa202b2d698ff
SHA1 b1d9a5fbaa184df4b3dfd842744bd5523e51cb24
SHA256 369180076f23cfdea42cfd35d2a1dffd74471fe377905e4eb86707b01fba12d4
SHA512 7a9cb06171528ce9832ed50eb79fa2b51e9c99d8f32608589c4e703c167c0c97080b1cf7ddf0d5717b6128bc8700a7372df8a7dcf1dec4ad12259b419c58ae74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b01283017ad04b6381609e6423006c62
SHA1 63bc4ccf4705a868f38f5c4f82569093b76abc8f
SHA256 b6e2c5a62637da5430dfb9afcdbb872bdcd94da5ad9fff0ace2554690b26e2f1
SHA512 2cb5ef1332b1692be6b796e26ae7450c1e4908b44fadd217a5edad6f341cb326dc8453054d36c34d2940f06f95d39e6b7018190614bc140194aecaa29ea72359

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43a7dbebe39921b9d8b2aa6377bf658f
SHA1 eb0855bcba28e51a18a034e0336b3a50ca038cfd
SHA256 85b2a0c7073ee9b225ab615eebed4c8a245cac2432d3aadc4cf7ca5ed24c6df3
SHA512 49b55f0e2fdbc47cf4ba68a604adb4138643b81a97cde8ee6d66c76b7c3aa2adca0e413c85fe09a2fcff005b76fc7da4c2c042730ef99a2be19860ed60235c7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25c0809abbe187bc990629e702da313c
SHA1 651b29eb9ae569053204b7e0c26b9ab81be8e215
SHA256 5331e214449825fb07299a01ffa952e609cfdca89eb69175a569243d15b5b92e
SHA512 3e00360ac9bbff745716ca7f7d75ab80cecbb2ae184064a7fb84309b2324054c00012a2702f3ed656c5983177634a2f992eb2569b6105468031d8feb7ba998c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3291c4aeda44fec904030e1446b261b3
SHA1 cafb9cc2e302726526c59c48e1e0c15a7be44c1c
SHA256 9b8ca1c8918bccfcc170c890ceb17854a917545f35a7f41034c0e5f24e3a88f5
SHA512 4687eb4d45eff479d3f0c4e21ec121864acc1e8056bd24d0fb7bc03600c4b889549baae47c8a59e4862eb8dbd31bf01755017db26b44bb762d9c954631b4c169

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e32f2491b2b0cec643bbbf9e17a57a1f
SHA1 18beac6fb711a1d8f1bb315edb601fa5940d0776
SHA256 dc8c4bb205fb6a64b69cb41c8455b1805e67983c2e8397045a65ca017b8f4234
SHA512 8029758d2f6559a1d55e782060f47c13bcefec662dc0e344d22d364c48b1f57e9d37d036b0e622b021abbb9bd07cc10746cae5ac2f50f932625d46dc67ed8d83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc58c76dbaa3fc3f97553c3232e55376
SHA1 6fb8143dba970c7febb941c0234e22a385ece38b
SHA256 35918f1f3b012fd58f2c12f6127d00826662a35f5ca2c4b3b7739a8040614438
SHA512 7cc812ce6c4de9d5e8b952f7ad1326baf8d46cfeed96667c8f286a6a91e4c7c966a1d341adc6068623d531310c232233c3f974b913014779ff756c342302b957

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cd9261241ec447044e102ed5b090353
SHA1 38636697997ea0271b4880eedb67c2d9b38d4f80
SHA256 43ccfdc772245b649251b66ede5633bb62c79e5e13ed5aad41f99a71fbf534a3
SHA512 771d2b7c8d7f2d7c4e195dc5e4d7843cad58c84aed3e8ddc516dab8b72b5ec01ece8fbac47e59b9c9faa2a45856f5d5d6efa80737a6406125f3646c005c7bfe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 329f5e16946babdcb2c1283b74eaffbc
SHA1 dcecbeba470a896f19ac7e2c70341df25b4b9aca
SHA256 1a3cfa0494f51ac11488ecb273c5b6a03754d27d6188ceb3638beef60da161b1
SHA512 a9e5585745fd24eebb76701b5cd7587f6e37a75d595331020f0b9349c3faa4b3dda72231cdf9679718f84200dcc7a3dfce0cf5f77feae21694ad5761730bd2fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57fe100e29f0565059560d458f4746db
SHA1 92b2e4c081e6fec4537ffaeb2563e4a01753ebe2
SHA256 f03e99f0b120704e9146beebb6d40b2b1121a0464d254e35443ebccc12cc2097
SHA512 9e7567609142074791bea7d1a06057ffb0ea4705d0cf59a4b0274af6bdb404e81d316a89cca87bba2fb20e50c7b7791108e5cd799d8a52a58800e465e1abfcfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 644708a06670379fca33abe65825bb37
SHA1 a1f5a7cdc7b83c4bf3be33d72d4e814226d41b84
SHA256 555b0918645c77da6a9f66e007f5c23fd95feba1215dfcad854de3cb8b67b389
SHA512 302a8095d8d757b1711893f7a87d8e3bd50ea940dbc11a12055bf528a66b3d2be967b92cb06db5838a3ed0fa43da21532793748f76063f1a5479d30ef027761f

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9780E71-DCF0-11EF-8C40-E67A421F41DB} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40880e7efd70db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001527c96f3279b141918164042519387100000000020000000000106600000001000020000000ab951308ef6e72a0aef37ec09c402a61da441bc5722beed7a9dc156755aeae9c000000000e80000000020000200000004bda384e60cbdc741016fca06e4f4cca1ccc77e1ca5f738badb8dea042a1e927200000006ffd453989b959991bf9fe035ddfbc416fcfe45a3f70e57cbe090b4e2829135f40000000630e829c5915b7c357651ba43165605de9eea7de125a4de2f9cc799f4196f35b29229d61475cfa6cf5027ea43f65a31ceae2bacb5cea85bec9db953b10d6897b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001527c96f3279b141918164042519387100000000020000000000106600000001000020000000e61468f1a99261746f9717de3a67c215e6e4d91ee3fdad1652249326ff7cc30a000000000e80000000020000200000007ae30844bc539b8cd8ea63768a4046cba4ede19225ca5fadada3f8f8b2875bf990000000418e3e85e52280bbf1f72005c199c61e75284e9fc22f8a9dab223e6ad07883d49bee0b6d3f1f218fdf41018e06e6527b8c6b27691fba69c39589f1bccf75815d1142e6bbac5606969f23515be672dab96bd680f63cd52c9038ff128b5314e6563b7e881765105b79ecac8390b7394f82363f6c1086a2ad4b4193f8f0202e76e0e88b168df22a3fb49bb6fb9a459131b1400000004fb7af32cfb071fa93ff28bd401f6c91e37de9115ef6c83fa4fc8bf40f116ad38800c9c9c6c55b85ab62b02753fa48aa1c1eb6e2d551ea067e4aa511cec49863 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444173034" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 2380 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1804 wrote to memory of 2380 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1804 wrote to memory of 2380 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1804 wrote to memory of 2380 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2380 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2380 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2380 wrote to memory of 2988 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2988 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB6B5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB754.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a72cceb40653edee9577e2b245395b1
SHA1 9647ea97b23d206d3e411613687cf561a2c5a0ce
SHA256 f6574a52ea02ea7cced4721ee823943db0eefefd4074030671100a88c4a44020
SHA512 824a0e09dd11a5465fe5eb4d3caf60b49ab5a09d9cda9fc096d2b31da179a5ac5fb5c2c63174e973b60cd016810fd4a9a68681717c031c25c99133f3719ceb7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d325770b67f8a578ef63d59e9ec9fa23
SHA1 ad81a2849400a7bb34989c7eb95e1cf0fd1ac2a8
SHA256 1911e90f054eba4210d6463dd0cb02b641458301873a0980f537e46150f12d22
SHA512 c00ef1f22f019107a38cc221b1b1642579ae49bbdc32e1871fcc40b7d25d297fbfdd22102beb2d363eba48e9125866ecfebd7e373db1d26796a1fb2201f02300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60806ad5b7d80df193654ae4c7a249e2
SHA1 a2c33ce9dd4c0ba441390018d9fe852ffa0a3a4c
SHA256 297f3672dd2267c202a93d29a5ac6478edb3c51a2a34642622829045e7eaebd4
SHA512 3f13f8a98b997abf29168a8d034ac3cd7ed301ac1d95a30f6235f0ccff817fde4d19b3c47e08fd0a44f33efedaffdaa66690085b1af2936ec9aeb1eac9871b45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eee847bb987f2ee90b394b2d33c3221c
SHA1 ce5ad63a1e77067d045c8226db7eedc14c83cec6
SHA256 4aaa13c552df6621b4b728e46d0e7ebcb018bf83a4685d40ee64ca1ed2b81454
SHA512 48d8f536a932b46e509ec92e186d8724acdf70edea65aeefd7d339c20007b981147300914f29c6def98c1763c92a6260f8639a91fc00ddd09326b6b606562a79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 655e1fc0c8279fd6a78069ba1b6a589d
SHA1 684b3bdfbe2ddc13686954798b34925503ed9cfa
SHA256 999fadfa9e9c95f6911e567a7044e9f9efa277073cc40b4a28af8931527a6e4d
SHA512 3e906969b3cad201aae876095c32177bfa24f51c1585eeaf06c383c27af7c075b89ab42d6bda2a43820e5d3d927d05bb0701498c4db2d47b4a39ff865c50f83a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1935efee944711cedf869320d233b7b4
SHA1 2e71ef13990f1c98e32c19b2e176e85138d21e23
SHA256 009687265c6f0e6f9b6d1fdc51f0995612414a9d9beb861ae7662d558fd592ff
SHA512 eb71798743daf89d54ac19a50f549cf5f6cf62497203e139a32bd3a73d63371819d0d111403e957d51c47c89c6b289769060b402e3817abee953ca82c6630bf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc95ad0c74b2ef8d146c045ff4d79e91
SHA1 169724743f802f35152c64d9ef4db12769c18f9c
SHA256 8eedf347882db48a51f07e199b995754f767797d6b615a3d3042c33e20c7fde7
SHA512 77e8f7355f2e2698f94d16cd0b3e53eb5b1a4b4da9f376484c33d8a5f3c0aaf8b31023a767acab1e02b475d25bb542c341c2ffc022aba20ff749a70716b9060f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40d92bfc1b044bd91f5b6858503de671
SHA1 a48247d49928144f4b0d099e201941963945fb2c
SHA256 b220e1c032e351a85ea960d491a2e02155eaf7ccbea25d5fc0a89f29910be42b
SHA512 9b472c3e80a6f1a5b7ac87d6a847e12fcaf62eb4d02ac687f76e3ec5b792974ede772b209907e9bd10efb6fab8a542bfa5cfc13280eb56b91289e8d260d1676b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f9b97e3e9b0a2ded9e67dffc1b2e934
SHA1 15a36da4748cf14101f3c6dab0e8fab94e216ddb
SHA256 c9653ba22062244357476437385c89326b388f93fd29736f2c66d9f14eb2fbc4
SHA512 7b5893797a75b8a2cd5fb71021b03fb06cf93590ab35fc658b781c4d43e81a18d62997628f3ebc592e9bf5ecca4eb9af1a04d0ce6d1634f2b96506331e13ef1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4102dbfdc2cb020109896490fff99e4
SHA1 1e811c388b2e2934352d7e927a066b877573371a
SHA256 b28800ced29c6b9c476d35a95dd5b43ed29efcd73a28c994e9e9f19a1c61569c
SHA512 f7ceae047138ee51ff937f255788953309727d15d2b2dad87d74d45b1aa2a4c3905bf24c191d15282a4418ff127e1be4313269e0e392c00e289295e03279a0fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0e169edec9a575e826d12402d6be719
SHA1 a9bdea09012b3a19eb9b5bcd8a9a05d434d8b1e3
SHA256 3c2a90559fafd2bb70befabadd4669ca15bdbaddc576721a98df16866bc2503e
SHA512 b19069de83ca9555eb476eb2fe006e4db6fb570b9b44dc4d5dac37146caee8ff9846966993b1b55a9213783ef0dde912f88c3076963aba5d4720c73e298e1dc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e86c503cca765144d4aadadd2bfa3b4e
SHA1 46a1e6ae3763eb5e47b306bcac01656bbf57a747
SHA256 ae434340f7ef7c0620019c698f22cd7041f36d6ac6bbeaea2f06ddf1b0f4e0f7
SHA512 3fd2bc386bfea2565420093e5a925ba12923b418bf6521d744ff0371f9d993285522bacdf17e1bf9e56f0265727570aaa4ca85e6dfc418da0ff49283f1e51c87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2e962cc484556a5f3826dda50b43628
SHA1 37c439ea05ae8d8e3510fba0e48d4da7edac04e8
SHA256 b0e4bde4c17b7c3ab340847d0b1923b84db8b364b4f663f8653493d0798dcc39
SHA512 1b269c9843320f453e05a6e5f930a09a93373e6fb594fc28a0989028692411e442beb822f0859b0770af49d5f8894cb670c8ddc5aada0a085ffc171b334e17dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c493cc1a2a5205a383b9ed839d9bd40f
SHA1 9fc32e11469fb47a290a96d27be14ea3a4aaa7e1
SHA256 798212c6db0a8532030d260c1501c9a2f2a4622029d9ccb90abadba35fdf3da0
SHA512 95391de88f63a80a53c543ec374c3a98b2c028ac37374087509d4bfac1a4bf447faa07c90d35eef8db0c18f5a914742d6d67b9f8322c60d0de2742ebb3c7dd8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cc39240662755a661d1af2bdcbcc001
SHA1 55e912291202db6e260c42d64b9d0d9344420a2d
SHA256 1ada55ca0ea7ce3a6a26cc64d33733b360c0d90741c81c0ba35c0a0a94667510
SHA512 394db817c491eed90911f86394c64036262cec48867682d7a970753b27cae921615247f430e488a5f39de5c1cf006a4fb431be23d239eab401941f8191d70e15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b6ba6d1858e9a5c70e0a47d24a9cfd0
SHA1 43a7d377727057ffaa3a0fd12ede45a2bfccdc2c
SHA256 d74e4c1e1f0df6cb468a639287db7080c1710e2061502d73a642cb139cf91668
SHA512 211867ef3702927f5380c9f56d39a1e308fd4d06b012080d86cf1cf22eeb01d895ad3f268503b8b1583a975731c392826929ca2303ebca738ceef6573e6ff414

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a5e0c0888640655568264cca9cb6a30
SHA1 0d3e5a3e2f5787eb693053fd7391a109b6b227f8
SHA256 26ab9691c88d579c1aa323b032deef89db64d71eec9eea0ad85acb1f21ba3907
SHA512 e50ed73541afb76e60bcd5c8c575c40b290c5f8c15cf7673fcaa0f5847cc622097ddc0f629d81459ac4b71906daed35e75f656e8c94e8a25cd70626ed06523c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c747b87f7bd1a8cb095fb364284e3f01
SHA1 e0a433c6472465a2b38aa9f9af1df58a274ad15e
SHA256 02ff7bdd89a31e2d8aed8c649c7f8bf27683aad5cc41809e109511950ff69bb3
SHA512 b39c2e38d0a53ea3501330421b67a029e6adff8aa0777fbabf759df05103be99e00cecef95140b03c22f6607fe811b94227212f0f035941f115e0f48413946be

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tma-latest-bepinex.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tma-latest-bepinex.zip

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\.doorstop_version

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\.doorstop_version

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\harmony_interop_cache.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

141s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20241010-en

Max time kernel

64s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8b75246c3ab4056563293975835432b2
SHA1 f527c590bef8bcf810db6e5f84a6a488ee2841b3
SHA256 3f3231d2be29698ced7dda51a72e1b8ed9483bdc984bb3fb44d16ef9be2e680a
SHA512 be594d1131152db7a4398c8db0ef45c5613c84e8cf7c7d0d61eaabb7890217be9478d3497e6e3b64ea3eac7443caa472ef774bd9f9c75bada8748a67cdf92ffe

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240729-en

Max time kernel

94s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

138s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4188-0-0x00007FFB113CD000-0x00007FFB113CE000-memory.dmp

memory/4188-1-0x00007FFAD13B0000-0x00007FFAD13C0000-memory.dmp

memory/4188-2-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

memory/4188-3-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

memory/4188-4-0x00007FFB11330000-0x00007FFB11525000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20241023-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\Mono.Cecil.Mdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:53

Platform

win7-20240903-en

Max time kernel

47s

Max time network

16s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0969e7ca09b1d56b2790231d51a7347c
SHA1 52c718e6dc70711805bc00a0fe5dc5f74fd512f4
SHA256 0a9c065b7e63306bfcf5e2f68c4843b2de5367fc77fcec8d6906f37db01bb361
SHA512 05d824775c2995f8950163ddf8d39bb868b9c5b633e6efaa5e0410b150f2d0b2ae249163b19b42bbc07b6eeddfb0b3e02262dda0c7a6ebca936634b0c3234a13

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\config\BepInEx.cfg

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\HarmonyXInterop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\HarmonyXInterop.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\Mono.Cecil.Mdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 196.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony20.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\0Harmony20.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp

Files

memory/3940-1-0x00007FFE2AA4D000-0x00007FFE2AA4E000-memory.dmp

memory/3940-0-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

memory/3940-2-0x00007FFE2A9B0000-0x00007FFE2ABA5000-memory.dmp

memory/3940-3-0x00007FFE2A9B0000-0x00007FFE2ABA5000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\HarmonyXInterop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\HarmonyXInterop.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\.doorstop_version

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\.doorstop_version

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\.doorstop_version

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\.doorstop_version"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ed3f08d40043cd790176fa96b5771e89
SHA1 b7ceb35786cb89916564ca8b7c6824710709ff6d
SHA256 9267f9181cf2495554f282894114585b863650ec9490f3bb232374d89e06ab74
SHA512 7a46f13e353b93fa45422056701e68b816896f071da90eddfaecf8760a9ba308cbebc76ae1ea7dd6eed03c0ab42f61c2584336bac55d1c95f7b354c1ac9cf601

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Harmony.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3924-1-0x00007FF9B3B0D000-0x00007FF9B3B0E000-memory.dmp

memory/3924-0-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp

memory/3924-2-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/3924-3-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/3924-4-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:55

Platform

win7-20240903-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A8ED6A41-DCF0-11EF-90A9-D60C98DC526F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905e7a7dfd70db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2e33e6ffabccd47b5f3bc0308b7145900000000020000000000106600000001000020000000950b9face3a4fd8dbc11528734cf4f4fef3194858de410911b75ce2c8a91070b000000000e800000000200002000000024758fe5c50d93c7027c5a15af5025157e137f853cc9b06af7867f075b5d87cd9000000061f165bea80649881bc8a418c110ded2d6208a379260ffde12cb05f4b10be13af30d06d27d93510639395b348b3258e51fccbdf20520b63f3a530d976d023e85048661a0f350c9d9305a714921f18d00771a4c38a8f4a132699a5ac58b5d6656d055d68f964c807def3dc12d29f5c7de31fe01e59edd9c6e96ce497d9684b7384ed010b3960ebaf5d368346ce74308f840000000b9bdc17c6ab88d33c376e721c6a62880cfe461bf80f21724690390824337a7d313389e1c739d4e04cf8ff13081feb9cc11e49592626401675c46848cab73bd90 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2e33e6ffabccd47b5f3bc0308b7145900000000020000000000106600000001000020000000ee0ac79979a9d65aa64cdd3399243a085325d023326b2fd29930dae29ce5c518000000000e80000000020000200000003edf2ffeed563d2c469ba18fa92722858ee19d71db87b8c6a21c130e3ace854120000000350a156b1318614a948c487b81fa0ba0615dc793c94a0f042df0ac92c36a1021400000000d0b1e7f1802190bf812ac88cd96008aa98c1b99fd6f9b16e22444e285259318b3c288af97d299b3744036b7b9300a80f7a06278e5f252239d16da808d8975a1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444173033" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 2748 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2748 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BepInEx\core\BepInEx.Preloader.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1548.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar15B8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09685b8933071fab0b19f8d1116be355
SHA1 b6038b47180bcd2c29dcd244564a9d2b553a3eab
SHA256 45a5e116fdaac96988e4faf43d289bb7e0c97f179898784baf5a11f5edb41fa8
SHA512 f3f7ac78f13e6f86d0fd2f56104aaacf370a0f33bac1937d957d54424e57b231d90b4202c4e681626c3b5b34e48ff702608e3d827f7edeee5cd8b816b2280eaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97c174ef40fafbfeb94c32663b78ebab
SHA1 1a54441f22a838137dbfc87b06d41fead5fe8c88
SHA256 e248204a8541a1b4f2d20bdbc532b51b4409ddff07d8270257db6e551de8f4b3
SHA512 e173b21c13479511fb09b4a2296927389d6bcdca2b10672ba000e55cabc01d9c0f58dc8fdfc3aa8559be5a73fe26d4ee7204a34f4606882acabb1966e43e79b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ef2350a8cc70dbfce586d503d8d41ed
SHA1 2c5a1ad16d853993f2a50b9b1aa1b108a3fd2701
SHA256 fdb2ef0a4114e2ebe3284dd4720b6cb473a2956647bdc52468c17b818c66afa5
SHA512 1f0b8dc9a65963727a79d9cf2ec0fd76088815e14acb20ab028c1ced744bc71ab2b9a120f4eebbc620bb5b6c228e7d23de4507c87140b35af573a8bc6dd2063a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ba725646e8b83ab0a8232b3e7ce0797
SHA1 3ffacc3cb4156b147063a5d5cc9f847c0b093886
SHA256 9f1a1319b9c7b7d54c5531bdb822eee344d0e81966b96fee0800712e0e6a501d
SHA512 d477a6420663b8fd72242d052c098da65f9432e72bcc77d187ac0b6cbd52b53f0d99f1a1469fc16c87eb0a60e4a9f8fb53bbd7b0aa1f3d0a6a7dbfead7f0d19b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 053a13562b64756dbb802f87f691b2ea
SHA1 4fe90e6bcf91a32d2fd34c2dfc195f9904b4cdf9
SHA256 05b8b901f9de95d406b26c163a7ffc267f70fff0b1af5a97ad1dd1450980571d
SHA512 e2a22d6840db250efdc28a30cc71dd4bc51f320c185cf180dbfb4aa903e8832f1c01b6d87995bf8183d36ae8020ae9aaf093d4562292e128158c8c36a8cae69e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1170805489939a8f10f3ac84bad63b7f
SHA1 1488fb34dd8464182e32af59c8ea55ebed245456
SHA256 b2a97372e6a04a1b63885d03630e7d0c73c491a958775a10a495c4834148c704
SHA512 d0009a122c0a04c1180df86e9264fcebc1efd172866c85328c675e9ce8a8bf53801b8ddc866c48bc0987f7b11314421acde094d4259c6637951b38a94272663e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c11ba700c8accaa190f7c8ecac2ea74
SHA1 861425257f6b3b89af9587aab4fc6755e806fe40
SHA256 51ffc8f1cc527559b83323b73c4be5e98b88e54a04316a5b28cede7598060b83
SHA512 ef7b0f698fb9d0f61d516f14f12ba7baba4be1f63ce96792e10058ba52aa5dfc593bca9548df479d6e22b45f9a62f6bf08cb8d7cfbf3c871b4b9bf36d4980aa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 758115b56212a2b5d8bb8574cd451f59
SHA1 f7036f717c78ec8dd7a78263cb390cefa56aaff3
SHA256 7cf017cb96b056312c74f80afa5fbc293a4d3b9efc26a98405d218e932be98f1
SHA512 05ebacc305b893962ad40f4e8bcc6ff64000eec0bc020b22d18d7eed20dad05be13512b417739836882ee110f67817523d716b5a4c9ccc3b36ccf03569e1c6c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 901cb84285cbd15ee832ed0d1a978a7a
SHA1 c2182b38dea2a040196edfd2d06b387a64c2f8a9
SHA256 51b117bafdd93084cd43b2a07bd595b6ed8a6aadc5dea136ef5141c5fdb24023
SHA512 a94bfff52e129dcdaeb52394e7938f8712cad9fb57d2a6784a56e6917de221257d326e06110a78ae4fff2e4a1eb6432f539042726e2ce8fbb5e2299a8037b26f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1ea0d1734693bcd7313aabc19acc491
SHA1 8de986102c11e5749048218593fc99addc23315f
SHA256 2ce81bb98e484c9233697a379ea256f5ec2bc7a94777a6896f3f04c1dd1101a7
SHA512 0219ee78ff46cf1c71a77d6d653b64374f2ca5aa80e8303095ae0b2896f6d685b5b23e4ebda340cdc158153560e3b542b0daba563e644f812e40dd16a3965776

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 038383d1e07faed2074600de7ea2cda6
SHA1 731ee17abc9048cd26485f0be142575677f069ff
SHA256 f6469d0b3d3c9ba8d0ce0fd0d2bf6e3989eac74f13c7b6e220673ad24599fe26
SHA512 dd04fd67cb70a8cd56416d663015e2e2e83d8d697829b12748eb8dee1dea0c41e8e48c7314cdd353038bb618cfaf33e416114433ed330fd5106ad2704dbfe54e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c3e0014b99db3e97b3e19b4e6c40118
SHA1 508218da82a7c74f377d27c46ae3458d3bd7d8c7
SHA256 16ec101101599099b8f94cc71fb814d30f793bc42fb33e2d93a4061b6b336b82
SHA512 48f51600a690e85452a952536998878ba319e52686beed02adb91423d91b84e813ab7a0b86238a45b267446a7e68db38d72062e64b910d911b130c1f79a7ba3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9684845221c3671a56be1e19c1cd164
SHA1 0aec0dd260a9822e88bc6c9cabecd0b3e50534a3
SHA256 52b6577096eae10a87ee0454b2fa3d23566dc12ce942240d9798c75448acf0f8
SHA512 4686afa42212c4072f8828536ef555e4577bb675d53ca0fbb8080589f9f017582a6549de8a9d8226196134f298f83cf7616763cff349ebbe022f0d76cc2bee8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e778512580218a3360e6d96ac020e514
SHA1 02f8391f4ab28a61a643964c57150debe0f87eb0
SHA256 de80e8c0f2b36e2908bdca7aad6aa74869f86e16c6c114c761c541c26726c81c
SHA512 5e53ae74ef283498ce878c908f67c2236dc7821e6eb53e4f9a6d39e1693deb4f19834d5566f99c8064840c8b691d16fa357888ceed2a2df745a1db6a5c609ec8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37c6020cf96382c38adfad47133adbd8
SHA1 f4a435dccdf2309205b1659adb60a8549da2f6b2
SHA256 c3f9b243b1aeb3fa18d88002504c31b6439df59b7743b77abf7d210591d2d592
SHA512 2fc9fa299870df1e99182c05085a7ff3555f507550c7ad81b01cc87dd11623998a42aa2fc0f46610603486d5e2ed0f4ef56de7eaddde841913d0e6676ad0545e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e4aad5a00bad6730ffc23dafc02bbe0
SHA1 3faabc5a246aaa79ff0f22e7ea9a6f3eebeb2feb
SHA256 754e202fc5002195b44ece8459832a6745072d65c2e39e78d019ad4681d95b46
SHA512 868caff1a96febd853fa6aebf6d887ae0bcc6e0190fd83c5b1cd43b43b81351ca9a0a927df56abcb541fee3b0f4f12b0415bbb717ced21dfb4659c355e889691

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54b9f9b8ef8f492a2e5d6baf6bb9a0fc
SHA1 26ef5a1be13419403a259b0c57e6e69df428eb95
SHA256 06b03148a4431f25e34c37f0c05ff493a46f45ad08d0ab0366eb7e0bdc1b43e3
SHA512 77247e5931d2e615d04526c6756b426a9aadcd95d112dc8ecbe0e40619e35f19211cf12978fe28dbc80edf102c7973b606ccf8aed8a9f2f948af3148bd16176e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23da9457c70090a14764bf062bd7f842
SHA1 ef24b0a59cf6a42eec8b60433a62c612d7d9082e
SHA256 b78dbffe9ee9748215a51689f1728e9ae42dec75e5e310af1803213cd1b82d99
SHA512 b001988c20475b5ec1ffa24003dddb6f0eceb1694a95bf07563128811657e864b73719bf2c2f60471b8a3256fa52edf53205910f90b1066b2eacd8ebd236e560