Analysis Overview
SHA256
43df4500189c83808a119ee66ee8b77488619eed618316d937461e602cdc156d
Threat Level: Known bad
The file 43df4500189c83808a119ee66ee8b77488619eed618316d937461e602cdc156d.zip was found to be: Known bad.
Malicious Activity Summary
Djvu family
Detected Djvu ransomware
Djvu Ransomware
Renames multiple (170) files with added filename extension
Modifies file permissions
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-25 21:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win7-20240903-en
Max time kernel
142s
Max time network
127s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Djvu family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5\\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\taskeng.exe
taskeng.exe {6B4D6879-D72B-4ADE-8E3E-93145B5FFCFA} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
C:\Users\Admin\AppData\Local\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe --Task
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.96.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 104.21.96.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | vjsi.top | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
| US | 104.21.96.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/2084-0-0x0000000000640000-0x00000000006D1000-memory.dmp
memory/2084-1-0x0000000000640000-0x00000000006D1000-memory.dmp
memory/2084-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-2-0x00000000006E0000-0x00000000007FA000-memory.dmp
C:\Users\Admin\AppData\Local\9d69b2ba-462c-46a9-89e8-f2ed5f9865b5\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
| MD5 | f8ef98bbaff6ac82dacde20ee90bfa55 |
| SHA1 | 65761535a352bfeece2a708eaf6a329fc544872e |
| SHA256 | 5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de |
| SHA512 | 21618fa54b094fa37deeed5ef7e2fba6da13e57dc36119a5fe502e855a81fa5c9530b45a8be1a0333c8aa0ee862eb07f5c4af1c622b79bbfa8b3e4a3285790dd |
memory/2084-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-25-0x0000000000640000-0x00000000006D1000-memory.dmp
memory/2084-24-0x00000000006E0000-0x00000000007FA000-memory.dmp
memory/2084-23-0x0000000000400000-0x000000000055B000-memory.dmp
memory/2156-27-0x0000000000280000-0x0000000000311000-memory.dmp
memory/2156-28-0x0000000000400000-0x000000000055B000-memory.dmp
memory/2156-29-0x0000000000400000-0x000000000055B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15241af5a6485f105275242d25693c2e |
| SHA1 | f65dd46bbe0ab1572e175222b66407cfe476263e |
| SHA256 | cdcccf4f7e2986f5402c6c42ca853d6a43eda33436a6ee09e6963aefcecba42f |
| SHA512 | 11cbb2bd75612d4300f103873990b36966bd70c5a89276086a53775318b81abb6ad26b6c4d4b985767ea44694584ea0ee1c2631c6a61843d9471ee2df5cf2d67 |
C:\Users\Admin\AppData\Local\Temp\CabF2D7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 11d474ee0fdcaa1a9140ab483165977d |
| SHA1 | bf7dc35153085da2e0041f456cd90c983be0e240 |
| SHA256 | c55887727ac4fa7be32a924d36f8bbc46dc5608faa1ad694a571cd5bd1808f8d |
| SHA512 | 6735236eb9aedf6d63367f2293d9ddb6e99b12745df9b0f88de65a27989ff26fa25750ab1fb7517eb2cf6ee2279e7dedd61682479126eb2e70de152e5440d8ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | c9be626e9715952e9b70f92f912b9787 |
| SHA1 | aa2e946d9ad9027172d0d321917942b7562d6abe |
| SHA256 | c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4 |
| SHA512 | 7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 018e6cb9f1b288f92389fa97a1fc6563 |
| SHA1 | 1f4b3ffc16337c2aef7d064da8ed50f66fa53958 |
| SHA256 | d2645d5ac8efc77bb7b8e1e5915b74b036a8c055e185ed42d4b36634430764d7 |
| SHA512 | 3b16c037a32ba41ee9a2e6d1477fbfb6260d202a3115b499e186fd7cc0cf33015d7b4e2ee84ad8850779730fe4dfd77edd53e31f66fe9af6e3c845afaa0b4d15 |
memory/2156-44-0x0000000000400000-0x000000000055B000-memory.dmp
memory/2156-46-0x0000000000400000-0x000000000055B000-memory.dmp
memory/2156-49-0x0000000000400000-0x000000000055B000-memory.dmp
memory/1712-61-0x0000000000340000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarB5F8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1712-71-0x0000000000400000-0x000000000055B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win7-20250207-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 2944 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 3048 wrote to memory of 2944 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 3048 wrote to memory of 2944 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 3048 wrote to memory of 2944 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MihalyLevente_Vezetotrening.docx"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/3048-0-0x000000002FE01000-0x000000002FE02000-memory.dmp
memory/3048-2-0x000000007165D000-0x0000000071668000-memory.dmp
memory/3048-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3048-9-0x000000007165D000-0x0000000071668000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mihály Levente_Tartalmi kivonat_2017.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 6c5cee22b9d866be4c793d346a330b64 |
| SHA1 | cb7d510178be64afa554da7f2153c7140f4e1bcd |
| SHA256 | b789a42a4f1529ad99ff533272ba21506d19d9935c1971a85f9b9e75aeb41842 |
| SHA512 | c3f347a1c70d93031ee95be48e5e9bd5ab788d83211743e24d8124afe8aca6249e7d9f187eaecea9b6f2982e2a6ea4c838da8bf6735ca0c9d71e665d2f9e6e6b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win10v2004-20250314-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Djvu family
Renames multiple (170) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\c2f4fb08-47a1-4510-989e-f2e140e82ccf\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2f4fb08-47a1-4510-989e-f2e140e82ccf\\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\c2f4fb08-47a1-4510-989e-f2e140e82ccf\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c2f4fb08-47a1-4510-989e-f2e140e82ccf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5464 -ip 5464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 2128
C:\Users\Admin\AppData\Local\c2f4fb08-47a1-4510-989e-f2e140e82ccf\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
C:\Users\Admin\AppData\Local\c2f4fb08-47a1-4510-989e-f2e140e82ccf\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe --Task
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1364 -ip 1364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3240 -ip 3240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1764
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.16.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 104.21.16.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | vjsi.top | udp |
| US | 8.8.8.8:53 | vjsi.top | udp |
| US | 8.8.8.8:53 | vjsi.top | udp |
| US | 8.8.8.8:53 | vjsi.top | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 104.21.16.1:443 | api.2ip.ua | tcp |
Files
memory/5464-1-0x00000000009F0000-0x0000000000A86000-memory.dmp
memory/5464-2-0x0000000000B40000-0x0000000000C5A000-memory.dmp
memory/5464-3-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\c2f4fb08-47a1-4510-989e-f2e140e82ccf\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
| MD5 | f8ef98bbaff6ac82dacde20ee90bfa55 |
| SHA1 | 65761535a352bfeece2a708eaf6a329fc544872e |
| SHA256 | 5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de |
| SHA512 | 21618fa54b094fa37deeed5ef7e2fba6da13e57dc36119a5fe502e855a81fa5c9530b45a8be1a0333c8aa0ee862eb07f5c4af1c622b79bbfa8b3e4a3285790dd |
memory/5464-16-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5464-15-0x0000000000B40000-0x0000000000C5A000-memory.dmp
memory/5464-14-0x0000000000400000-0x000000000055B000-memory.dmp
memory/3240-18-0x0000000000400000-0x000000000055B000-memory.dmp
memory/3240-19-0x0000000000400000-0x000000000055B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 105beeac2afd146c2d85038d111cf8a3 |
| SHA1 | 714b5b837adc01421d994a0694fa3a8f0988222e |
| SHA256 | 7e03566f246e4779a70866cfc20bf931426a49293532970841862abe5726b869 |
| SHA512 | 8399b019d174b33daf8afb3d0bcc61a63dadfeaa0243735aa0591f4c5746d2960f01547924637f8880ab996499cb8163bfed5ba9c46f850f1308d60174b51b9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | c9be626e9715952e9b70f92f912b9787 |
| SHA1 | aa2e946d9ad9027172d0d321917942b7562d6abe |
| SHA256 | c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4 |
| SHA512 | 7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 690ba661f80d9233c71263a53a6c0b3c |
| SHA1 | ecda75893110d0a18503de4292ab367c702fed8e |
| SHA256 | 36bcdddc9efdb4407b6f6ecd84fe7d6108ccf713126740910796154f01ef0582 |
| SHA512 | c2827308280f860badd8354e5b903d82843f4a59a83c0a8f154d6abffacf78a8e123eaaaec535f0534049fa2c0d1bf8e9fe1313020060ac34ff8d133cca0885c |
memory/3240-26-0x0000000000400000-0x000000000055B000-memory.dmp
memory/3240-30-0x0000000000400000-0x000000000055B000-memory.dmp
memory/3240-31-0x0000000000400000-0x000000000055B000-memory.dmp
memory/1364-42-0x0000000000400000-0x000000000055B000-memory.dmp
memory/1364-43-0x0000000000400000-0x000000000055B000-memory.dmp
memory/1364-45-0x0000000000400000-0x000000000055B000-memory.dmp
F:\_readme.txt
| MD5 | 816b68812d5aa2d68eeff78ee6735fc4 |
| SHA1 | 0eb4b3914ec2098f36686da6b59c53d872023428 |
| SHA256 | 5bd89a0eaac1f5e7e89482d37d6b36dbaf7d9da869ebab6294a4ecd19bf97ef9 |
| SHA512 | 6ee8bf859936209374f0bead4d1ce4dd2085e97da3270a22ee4761b2a08954714777342ff554fa6515f2f96d56729f52257dbe8e21bdbbf18d1164b5caf6a68d |
memory/3240-391-0x0000000000400000-0x000000000055B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win10v2004-20250314-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MihalyLevente_Vezetotrening.docx" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.18.27.153:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/2840-0-0x00007FFECC410000-0x00007FFECC420000-memory.dmp
memory/2840-1-0x00007FFF0C42D000-0x00007FFF0C42E000-memory.dmp
memory/2840-3-0x00007FFECC410000-0x00007FFECC420000-memory.dmp
memory/2840-2-0x00007FFECC410000-0x00007FFECC420000-memory.dmp
memory/2840-4-0x00007FFECC410000-0x00007FFECC420000-memory.dmp
memory/2840-6-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-5-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-7-0x00007FFECC410000-0x00007FFECC420000-memory.dmp
memory/2840-12-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-11-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-10-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-13-0x00007FFECA1F0000-0x00007FFECA200000-memory.dmp
memory/2840-9-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-14-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-8-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-15-0x00007FFECA1F0000-0x00007FFECA200000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/2840-35-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-36-0x00007FFF0C42D000-0x00007FFF0C42E000-memory.dmp
memory/2840-37-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-40-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-39-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-38-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-41-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-42-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-43-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
memory/2840-46-0x00007FFF0C390000-0x00007FFF0C585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDD8BC.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win10v2004-20250314-en
Max time kernel
110s
Max time network
147s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mihály Levente_Tartalmi kivonat_2017.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=918D69C4E2A535A8E300C804CC6D03CF --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C9B7FE866F38245C051E7AD0D0EA5B58 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C9B7FE866F38245C051E7AD0D0EA5B58 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D3102496D8360B9817FF8F9D166BEAA --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CDF37733B8E016F45BD84C51CBB07EAA --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D5A56A0D4D749C6E0701CC28528B2C8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D5A56A0D4D749C6E0701CC28528B2C8 --renderer-client-id=6 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C6AAD0063FDE374FBB60ED329ABF628 --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 109dcfc4ceb6bad483500e276bd14d5b |
| SHA1 | 04f378f178488a8f3ba42e2cca39f35cdf361ac6 |
| SHA256 | 2cab11865fd308158ccaacd2914b552546d518cc5996d85a48a55b7025bf99ea |
| SHA512 | 082a309d6cfb566de506ce56a3f0f8e0cbb95a0e592cc8a9c7466dcfcc5982409354828171f94cd76fbc8dfbdba7c014bfe0f357211ff4bfab198338bece050e |
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win7-20241010-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Mérések Co2 lézeres kezelésre_v2.xlsx"
Network
Files
memory/2152-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2152-1-0x0000000072C3D000-0x0000000072C48000-memory.dmp
memory/2152-2-0x0000000072C3D000-0x0000000072C48000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-25 21:11
Reported
2025-03-25 21:13
Platform
win10v2004-20250314-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Mérések Co2 lézeres kezelésre_v2.xlsx"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 88.221.135.25:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/3996-3-0x00007FFC27790000-0x00007FFC277A0000-memory.dmp
memory/3996-0-0x00007FFC27790000-0x00007FFC277A0000-memory.dmp
memory/3996-5-0x00007FFC27790000-0x00007FFC277A0000-memory.dmp
memory/3996-4-0x00007FFC677AD000-0x00007FFC677AE000-memory.dmp
memory/3996-2-0x00007FFC27790000-0x00007FFC277A0000-memory.dmp
memory/3996-1-0x00007FFC27790000-0x00007FFC277A0000-memory.dmp
memory/3996-8-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-7-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-11-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-13-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-12-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-10-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-6-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-9-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-14-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-16-0x00007FFC24FC0000-0x00007FFC24FD0000-memory.dmp
memory/3996-15-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
memory/3996-17-0x00007FFC24FC0000-0x00007FFC24FD0000-memory.dmp
memory/3996-27-0x00007FFC67710000-0x00007FFC67905000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | bef3836783d3f8cccec0b99dc66da112 |
| SHA1 | 8cb6241255fca5d85e6b77ef0f7dea6496cfcd15 |
| SHA256 | 2cbb9d53a8100fa974d4051dbd2ea2be4cd449cd984d62429e9044c5a3ee9948 |
| SHA512 | 25b684b8001a3af0e4930dca45e743938cd6200703a5a6ae4706fcca9fe5169c0a7f35ae85b0ee58dda55c4939bf954a902aa6351b410051e2f56ed7d4147099 |