Malware analysis Boson Exsim Ccna 200-301.zip Malicious activity

Add for printing

File name:	Boson Exsim Ccna 200-301.zip
Full analysis:	https://app.any.run/tasks/dde5f20c-40b2-4ab2-a42d-932104134642
Verdict:	Malicious activity
Threats:	CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 07, 2024, 23:34:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer cryptbot
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	90A396DD5751C2917E6F20B4B916B061
SHA1:	E60CE4EC1CC241A9738D3E523EEAF2DF54982D16
SHA256:	A535E4DB4D26039246C73792CDE2688CEEC822F3305421CF1EFC4C3C8D078C77
SSDEEP:	768:VnfPiyHeANgWlPOZ1wyJ4JS4HPBYpsqCxv35M5uanKjB9ejgRa:Nfp/gW41wx5Y8vQguj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Connects to the CnC server
  - Run.exe (PID: 240)
- CRYPTBOT has been detected (SURICATA)
  - Run.exe (PID: 240)
- Actions looks like stealing of personal data
  - Run.exe (PID: 240)
SUSPICIOUS
- Start notepad (likely ransomware note)
  - WinRAR.exe (PID: 6848)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6848)
- Searches for installed software
  - Run.exe (PID: 240)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 6848)
  - msedge.exe (PID: 2388)
  - Acrobat.exe (PID: 5060)
  - msedge.exe (PID: 4996)
- Reads the computer name
  - TextInputHost.exe (PID: 6236)
  - identity_helper.exe (PID: 7640)
  - identity_helper.exe (PID: 5292)
  - Run.exe (PID: 240)
  - Run.exe (PID: 5924)
  - Run.exe (PID: 2228)
  - Run.exe (PID: 7916)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 1044)
- Application launched itself
  - AcroCEF.exe (PID: 6628)
  - msedge.exe (PID: 2388)
  - Acrobat.exe (PID: 5060)
  - msedge.exe (PID: 4996)
  - Acrobat.exe (PID: 5976)
- Checks supported languages
  - TextInputHost.exe (PID: 6236)
  - identity_helper.exe (PID: 5292)
  - acrobat_sl.exe (PID: 5984)
  - identity_helper.exe (PID: 7640)
  - Run.exe (PID: 240)
  - Run.exe (PID: 5924)
  - Run.exe (PID: 7916)
  - Run.exe (PID: 2228)
- Reads Environment values
  - identity_helper.exe (PID: 5292)
  - identity_helper.exe (PID: 7640)
- Executable content was dropped or overwritten
  - AdobeARM.exe (PID: 5504)
  - WinRAR.exe (PID: 188)
- The process uses the downloaded file
  - WinRAR.exe (PID: 32)
  - msedge.exe (PID: 7624)
- Checks proxy server information
  - WinRAR.exe (PID: 6848)
- Manual execution by a user
  - WinRAR.exe (PID: 32)
  - Run.exe (PID: 240)
  - WinRAR.exe (PID: 188)
  - Run.exe (PID: 5924)
  - Run.exe (PID: 7916)
  - Run.exe (PID: 2228)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 188)
- Reads CPU info
  - Run.exe (PID: 240)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:06:22 13:22:38
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Boson Exsim Ccna 200-301/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

246

Monitored processes

116

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\#!!easy-install_8485!!#.zip" C:\Users\admin\Downloads\

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

188

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\#!!to_open_8485_PassW0rd$!!#.rar" C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

240

"C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\Run.exe"

C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\Run.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\downloads\#!!to_open_8485_passw0rd$!!#\run.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

460

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5040 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

936

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6600 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

964

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5184 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1044

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa6848.49834\READ ME.txt

C:\Windows\System32\notepad.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1104

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5548 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1452

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2456 --field-trial-handle=1572,i,6465259518849124027,8128621292585177709,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1792

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4316 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

56 990

Read events

56 501

Write events

458

Delete events

Modification events


(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Boson Exsim Ccna 200-301.zip
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\ieframe.dll,-10046
Value: Internet Shortcut
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:	write	Name:	txtfile
Value:

Add for printing

Executable files

Suspicious files

466

Text files

278

Unknown types

Dropped files

PID	Process	Filename		Type
6848	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6848.1970\DOWNLOAD NOW.pdf		pdf
		MD5:4698C85C89AF42220F77567F4DE0426E	SHA256:E9F9960C8DAA6616AD3F89BAA1583FFB74999F00E0BCB8B57175BEDC3E2BFA77
6848	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6848.49834\READ ME.txt		text
		MD5:5358E33274E5F3C7B406D0D7E84D4DD8	SHA256:D6C97CC37226BDB32FCFA200218DFAA4C18251D05439EE023A1704C4BEEA23C2
5992	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt		text
		MD5:6C0D47FC63141406976939534B9D86B3	SHA256:3964F2BD988DDCFA40B76652A200385B447680EB36D32827B100D2B03082D1E5
5992	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:79270D9595B259B53E39403366436A8E	SHA256:AD0552A8B392315C512F6DC945F318AD83B98FB64415C0CED694843A3C5D2083
5992	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:8E44A75E28480ADCD1F8F4A8B5D0CE40	SHA256:2466859160ABFDFD1F8DCACE078A90B7558838684DFFD9281DB650AD49323FF4
5060	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old		text
		MD5:43D1F53B48631F8B32E040219417874B	SHA256:AA4C99C362EB18EB8B91EEB8821960807F725E7C5DE1FBABBA7B910BDA3EEEB8
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:002CE9F1C8E638C89460289DFF260E3B	SHA256:710FF791CABA4771BFB6DBAFAF141DA47E1F041BC4040CBB7E7F82C69E15AF0C
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RFef4eb.TMP		text
		MD5:E26AF4B6A1AD62E54D67510EEFE20B2C	SHA256:BF001234CF5F261254DEA1EA459BBFD4A35D15166C765CA3ED9B56D49A04BE1B
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0		binary
		MD5:8621056CCC2E8AF2017AA51D32E3F2EC	SHA256:B7962BE7ABF3E4994DF4B7A1AD0C995E3DF232853D4A3E34712363A11B2909FC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

161

DNS requests

198

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5504	AdobeARM.exe	GET	404	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/2024/8/OwnerAPI/Rdr.txt	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	404	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/2024/8/UC/Other.txt	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	404	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/32/adnme/NoValidReasonForAdnme.txt	unknown	—	—	whitelisted
5060	Acrobat.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA0aNA9419AA4In9uq1lIt8%3D	unknown	—	—	whitelisted
7712	msedge.exe	GET	307	188.114.97.3:80	http://rimshardrctf.online/L4hJskLs2hSbSVsdb31hjKsbW	unknown	—	—	whitelisted
7712	msedge.exe	GET	307	188.114.97.3:80	http://rimshardrctf.online/L4hJskLs2hSbSVsdb31hjKsbW	unknown	—	—	whitelisted
240	Run.exe	POST	200	31.192.244.36:80	http://twez12ht.top/v1/upload.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3476	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5336	SearchApp.exe	92.123.104.32:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2208	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2208	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	216.58.206.46 142.250.186.78 142.250.185.238	whitelisted
www.bing.com	92.123.104.32 92.123.104.63 92.123.104.31 92.123.104.34 92.123.104.38 92.123.104.33	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.71 40.126.31.69 20.190.159.68 20.190.159.73 40.126.31.73 20.190.159.0 20.190.159.23 20.190.159.4	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
th.bing.com	92.123.104.38 92.123.104.32 92.123.104.63 92.123.104.31 92.123.104.34	whitelisted
arc.msn.com	20.223.36.55 20.31.169.57	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)

Add for printing

No debug info

General Info

Boson Exsim Ccna 200-301.zip

90A396DD5751C2917E6F20B4B916B061

E60CE4EC1CC241A9738D3E523EEAF2DF54982D16

A535E4DB4D26039246C73792CDE2688CEEC822F3305421CF1EFC4C3C8D078C77

768:VnfPiyHeANgWlPOZ1wyJ4JS4HPBYpsqCxv35M5uanKjB9ejgRa:Nfp/gW41wx5Y8vQguj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

CRYPTBOT has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Start notepad (likely ransomware note)

Reads security settings of Internet Explorer

Searches for installed software

INFO

Reads Microsoft Office registry keys

Reads the computer name

Reads security settings of Internet Explorer

Application launched itself

Checks supported languages

Reads Environment values

Executable content was dropped or overwritten

The process uses the downloaded file

Checks proxy server information

Manual execution by a user

Drops the executable file immediately after the start

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings