Malware analysis Boson Exsim Ccna 200-301.zip Malicious activity

Add for printing

File name:	Boson Exsim Ccna 200-301.zip
Full analysis:	https://app.any.run/tasks/dde5f20c-40b2-4ab2-a42d-932104134642
Verdict:	Malicious activity
Threats:	CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 07, 2024, 23:34:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer cryptbot
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	90A396DD5751C2917E6F20B4B916B061
SHA1:	E60CE4EC1CC241A9738D3E523EEAF2DF54982D16
SHA256:	A535E4DB4D26039246C73792CDE2688CEEC822F3305421CF1EFC4C3C8D078C77
SSDEEP:	768:VnfPiyHeANgWlPOZ1wyJ4JS4HPBYpsqCxv35M5uanKjB9ejgRa:Nfp/gW41wx5Y8vQguj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- CRYPTBOT has been detected (SURICATA)
  - Run.exe (PID: 240)
- Connects to the CnC server
  - Run.exe (PID: 240)
- Actions looks like stealing of personal data
  - Run.exe (PID: 240)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6848)
- Start notepad (likely ransomware note)
  - WinRAR.exe (PID: 6848)
- Searches for installed software
  - Run.exe (PID: 240)
INFO
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 1044)
- Reads the computer name
  - TextInputHost.exe (PID: 6236)
  - identity_helper.exe (PID: 5292)
  - identity_helper.exe (PID: 7640)
  - Run.exe (PID: 240)
  - Run.exe (PID: 5924)
  - Run.exe (PID: 7916)
  - Run.exe (PID: 2228)
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 6848)
  - msedge.exe (PID: 2388)
  - Acrobat.exe (PID: 5060)
  - msedge.exe (PID: 4996)
- Checks supported languages
  - TextInputHost.exe (PID: 6236)
  - acrobat_sl.exe (PID: 5984)
  - identity_helper.exe (PID: 5292)
  - identity_helper.exe (PID: 7640)
  - Run.exe (PID: 240)
  - Run.exe (PID: 7916)
  - Run.exe (PID: 2228)
  - Run.exe (PID: 5924)
- Application launched itself
  - Acrobat.exe (PID: 5060)
  - AcroCEF.exe (PID: 6628)
  - msedge.exe (PID: 4996)
  - msedge.exe (PID: 2388)
  - Acrobat.exe (PID: 5976)
- Reads Environment values
  - identity_helper.exe (PID: 5292)
  - identity_helper.exe (PID: 7640)
- Executable content was dropped or overwritten
  - AdobeARM.exe (PID: 5504)
  - WinRAR.exe (PID: 188)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 188)
- The process uses the downloaded file
  - WinRAR.exe (PID: 32)
  - msedge.exe (PID: 7624)
- Checks proxy server information
  - WinRAR.exe (PID: 6848)
- Manual execution by a user
  - WinRAR.exe (PID: 32)
  - WinRAR.exe (PID: 188)
  - Run.exe (PID: 240)
  - Run.exe (PID: 2228)
  - Run.exe (PID: 5924)
  - Run.exe (PID: 7916)
- Reads CPU info
  - Run.exe (PID: 240)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:06:22 13:22:38
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Boson Exsim Ccna 200-301/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

246

Monitored processes

116

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\#!!easy-install_8485!!#.zip" C:\Users\admin\Downloads\

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

188

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\#!!to_open_8485_PassW0rd$!!#.rar" C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

240

"C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\Run.exe"

C:\Users\admin\Downloads\#!!to_open_8485_PassW0rd$!!#\Run.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\downloads\#!!to_open_8485_passw0rd$!!#\run.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

460

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5040 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

936

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6600 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

964

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5184 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1044

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa6848.49834\READ ME.txt

C:\Windows\System32\notepad.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1104

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5548 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1452

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2456 --field-trial-handle=1572,i,6465259518849124027,8128621292585177709,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1792

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4316 --field-trial-handle=2428,i,4391235344223426279,5994261125806877408,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

56 990

Read events

56 501

Write events

458

Delete events

Modification events


(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Boson Exsim Ccna 200-301.zip
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\ieframe.dll,-10046
Value: Internet Shortcut
(PID) Process:	(6848) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:	write	Name:	txtfile
Value:

Add for printing

Executable files

Suspicious files

466

Text files

278

Unknown types

Dropped files

PID	Process	Filename		Type
6848	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6848.1970\DOWNLOAD NOW.pdf		pdf
		MD5:4698C85C89AF42220F77567F4DE0426E	SHA256:E9F9960C8DAA6616AD3F89BAA1583FFB74999F00E0BCB8B57175BEDC3E2BFA77
5992	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		mp3
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0		binary
		MD5:748A273AC2A936161DBC9B279097A017	SHA256:29987385B8C3D05CFB73AA19702D7E257DA6E706AF360FEA821BD0EA04DC01A1
5992	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:8E44A75E28480ADCD1F8F4A8B5D0CE40	SHA256:2466859160ABFDFD1F8DCACE078A90B7558838684DFFD9281DB650AD49323FF4
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:002CE9F1C8E638C89460289DFF260E3B	SHA256:710FF791CABA4771BFB6DBAFAF141DA47E1F041BC4040CBB7E7F82C69E15AF0C
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old~RFef652.TMP		text
		MD5:B875B798FCFA464DB41DDC9789BDB161	SHA256:F6259A0B5E546CB737118D559D0FBDFFDCEC68AD4F7B95451FED263058606B13
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RFef604.TMP		text
		MD5:FCD96552DAA6924F8C1E9C378163E2C9	SHA256:E8EC8E1501E489B27B564C363F4E60963DD57180453B35B092A4B3769E7AA5CA
5992	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		binary
		MD5:333D21246166A045492BCE6F0C889130	SHA256:677339F1076480001B1E32C49AEA992698EF30676B2519E9D9CE761D354FF402
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old		text
		MD5:EC382FFF4B7232181CDB8226E9C289C7	SHA256:27BDA724E8E0654E4BDA2F8E98FE399EF826F052F73FBBDB19CDF78954DB9954
6628	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0		binary
		MD5:701CD634228433DEC0DDDA352E941CF8	SHA256:885B58552F267323C20DE60F70C23F9572240DB38EA2CB911651C22C227FC271

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

161

DNS requests

198

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6572	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2208	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	304	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/ReportOwner.txt	unknown	—	—	whitelisted
6604	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	304	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/ProcessMAU.txt	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	404	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/2024/8/OwnerAPI/Rdr.txt	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	404	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/2024/8/UC/Other.txt	unknown	—	—	whitelisted
5504	AdobeARM.exe	GET	404	23.48.23.34:80	http://acroipm2.adobe.com/assets/Owner/arm/32/adnme/NoValidReasonForAdnme.txt	unknown	—	—	whitelisted
5060	Acrobat.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3476	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5336	SearchApp.exe	92.123.104.32:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2208	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2208	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	216.58.206.46 142.250.186.78 142.250.185.238	whitelisted
www.bing.com	92.123.104.32 92.123.104.63 92.123.104.31 92.123.104.34 92.123.104.38 92.123.104.33	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.71 40.126.31.69 20.190.159.68 20.190.159.73 40.126.31.73 20.190.159.0 20.190.159.23 20.190.159.4	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
th.bing.com	92.123.104.38 92.123.104.32 92.123.104.63 92.123.104.31 92.123.104.34	whitelisted
arc.msn.com	20.223.36.55 20.31.169.57	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
7712	msedge.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7712	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)

Add for printing

No debug info

General Info

Boson Exsim Ccna 200-301.zip

90A396DD5751C2917E6F20B4B916B061

E60CE4EC1CC241A9738D3E523EEAF2DF54982D16

A535E4DB4D26039246C73792CDE2688CEEC822F3305421CF1EFC4C3C8D078C77

768:VnfPiyHeANgWlPOZ1wyJ4JS4HPBYpsqCxv35M5uanKjB9ejgRa:Nfp/gW41wx5Y8vQguj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CRYPTBOT has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Start notepad (likely ransomware note)

Searches for installed software

INFO

Reads security settings of Internet Explorer

Reads the computer name

Reads Microsoft Office registry keys

Checks supported languages

Application launched itself

Reads Environment values

Executable content was dropped or overwritten

Drops the executable file immediately after the start

The process uses the downloaded file

Checks proxy server information

Manual execution by a user

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings