Analysis Overview
SHA256
59821b8aabe5acc8b1eb91ed2de2cba91b05351c3d9e3bf52ba0ba786f359b87
Threat Level: Known bad
The file 3840x2970 DC Comics HD Wallpaper and Background.txt.iso was found to be: Known bad.
Malicious Activity Summary
PlugX
Plugx family
PlugX Rat Payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-22 15:41
Signatures
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Plugx family
Analysis: behavioral9
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:50
Platform
win7-20220310-en
Max time kernel
4294344s
Max time network
319s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libEGL.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win10v2004-en-20220113
Max time kernel
205s
Max time network
264s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 1416 -ip 1416
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1416 -s 472
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:50
Platform
win7-20220310-en
Max time kernel
4294344s
Max time network
320s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw_elf.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win10v2004-en-20220113
Max time kernel
292s
Max time network
321s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw_elf.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win10v2004-en-20220113
Max time kernel
217s
Max time network
268s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\d3dcompiler_47.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win10v2004-en-20220113
Max time kernel
303s
Max time network
328s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.247.211.254:80 | tcp | |
| US | 8.247.211.254:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win7-20220311-en
Max time kernel
4294337s
Max time network
334s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x7fef67d9ec0,0x7fef67d9ed0,0x7fef67d9ee0
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1088 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1368 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1584 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1912 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1244 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=884 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2256 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2268 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1856 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1008 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1060 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | udp |
Files
C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad\settings.dat
| MD5 | 076beab1a441ec9ff2fbb37f3f9d8c94 |
| SHA1 | 03b3810cac5d079db35a31c94bf1b0307ccfcbbf |
| SHA256 | 7469538c6907e283652b6026b6e3680cc7421c07a320dbfb851fdd813a65f406 |
| SHA512 | 60d6f11768fae1affd7f6e4545f20dca025ccb3e94b9be97f41644aa0eae13f8acfca4830a4d658d0beeab9489967e86485ce53e399aa456326a7a3345d9c4d9 |
C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811\package.json
| MD5 | f2b68a4a5ff5d3a6fd2b6bab88b8bb39 |
| SHA1 | 568f4a6315bff20309d9be2b3fe2c4e248d39c40 |
| SHA256 | 5f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e |
| SHA512 | e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319 |
\??\pipe\crashpad_2044_NOPVKWOSCBQPZYHD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2044-57-0x0000000006C80000-0x0000000006C81000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:50
Platform
win10v2004-20220310-en
Max time kernel
287s
Max time network
342s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ffa2be99ec0,0x7ffa2be99ed0,0x7ffa2be99ee0
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x1b8,0x1c0,0x1c4,0x138,0x1bc,0x7ff6e9044e60,0x7ff6e9044e70,0x7ff6e9044e80
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=1912 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=2188 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2644 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2016 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3168 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3080 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3112 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3144 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3152 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | udp |
Files
C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad\settings.dat
| MD5 | 859077f8330f712f052806fdc9d42718 |
| SHA1 | 2bf765b2ea5685f89a29874a4e0b10ca5407b27b |
| SHA256 | 40e56ba54df06db41a8faef13e407040007ed9cd06cbd94d392a6e012cc66012 |
| SHA512 | efe49b357d68389e8b978a24c60f39b30c2f8899a00f3e1344fadf0cfbf41b72d8652511e6ab5056769d57024ff0cdd7be733a6c3547d1f027ac189e9aa9340e |
C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364\package.json
| MD5 | f2b68a4a5ff5d3a6fd2b6bab88b8bb39 |
| SHA1 | 568f4a6315bff20309d9be2b3fe2c4e248d39c40 |
| SHA256 | 5f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e |
| SHA512 | e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319 |
\??\pipe\crashpad_2932_NNJTTWDFDKUSIIXI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1200-137-0x00000247E7660000-0x00000247E7670000-memory.dmp
memory/1200-138-0x00000247E76C0000-0x00000247E76D0000-memory.dmp
memory/1200-139-0x00000247E79D0000-0x00000247E79D4000-memory.dmp
memory/4456-140-0x0000346E00040000-0x0000346E00041000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1200-142-0x00000247E9EE0000-0x00000247E9EE4000-memory.dmp
memory/1200-143-0x00000247E9EC0000-0x00000247E9EC1000-memory.dmp
memory/1200-144-0x00000247E9C60000-0x00000247E9C64000-memory.dmp
memory/1200-145-0x00000247E79F0000-0x00000247E79F1000-memory.dmp
memory/1200-146-0x00000247E79F0000-0x00000247E79F4000-memory.dmp
memory/1200-147-0x00000247E7950000-0x00000247E7951000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:48
Platform
win7-20220310-en
Max time kernel
4294367s
Max time network
318s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloom = "C:\\Users\\Admin\\AppData\\Roaming\\Bloom\\Bloom.exe --zAZsKBNE" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 536 wrote to memory of 1268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 536 wrote to memory of 1268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 536 wrote to memory of 1268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 536 wrote to memory of 580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 536 wrote to memory of 580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 536 wrote to memory of 580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\resources.bat"
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe --zAZsKBNE" /f
Network
Files
memory/536-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:48
Platform
win10v2004-en-20220113
Max time kernel
54s
Max time network
130s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloom = "C:\\Users\\Admin\\AppData\\Roaming\\Bloom\\Bloom.exe --zAZsKBNE" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1056 wrote to memory of 1576 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\tar.exe |
| PID 1056 wrote to memory of 1576 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\tar.exe |
| PID 1056 wrote to memory of 1796 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1056 wrote to memory of 1796 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1056 wrote to memory of 1952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1056 wrote to memory of 1952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1056 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe |
| PID 1056 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources.bat"
C:\Windows\system32\tar.exe
tar -xvf "app.zip" -C "C:\Users\Admin\AppData\Roaming"
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe --zAZsKBNE" /f
C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe"
Network
Files
C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe
| MD5 | c8635ab554fb726513b5e6e54409e185 |
| SHA1 | 353e271c00088c4195bd12af3241038004906ed5 |
| SHA256 | ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674 |
| SHA512 | ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa |
C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe
| MD5 | c8635ab554fb726513b5e6e54409e185 |
| SHA1 | 353e271c00088c4195bd12af3241038004906ed5 |
| SHA256 | ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674 |
| SHA512 | ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa |
C:\Users\Admin\AppData\Roaming\Bloom\nw_elf.dll
| MD5 | c73b8e71aa716278dda520c7f6d7d3b8 |
| SHA1 | 2331fd8b3ed2cc02ee860f5faa0f12d6a80b00fe |
| SHA256 | 51cd730f33682a99410117cdac984f2e1ea21f7c8af113b0e830532e9849b316 |
| SHA512 | 3475e87a75d0d5483945dd9fe81b56d66baca35342b1db0e21bc28b3dcccf193b834b067d268447a538343be81b23af4dbfbd864258261ce5d45d69ef88692a6 |
C:\Users\Admin\AppData\Roaming\Bloom\nw_elf.dll
| MD5 | c73b8e71aa716278dda520c7f6d7d3b8 |
| SHA1 | 2331fd8b3ed2cc02ee860f5faa0f12d6a80b00fe |
| SHA256 | 51cd730f33682a99410117cdac984f2e1ea21f7c8af113b0e830532e9849b316 |
| SHA512 | 3475e87a75d0d5483945dd9fe81b56d66baca35342b1db0e21bc28b3dcccf193b834b067d268447a538343be81b23af4dbfbd864258261ce5d45d69ef88692a6 |
C:\Users\Admin\AppData\Roaming\Bloom\nw.dll
| MD5 | 3d2dadc029a8b5fc745a956c1a5ee568 |
| SHA1 | a353b0fec54f5c853109b175cea49893b72f539e |
| SHA256 | b756c3f4de49600d23f369718cad7eb8645f7ada1dfafc71f47c18e3e2c5aadd |
| SHA512 | c513823f9ffaaba52d90f0a7733274787cbc9f380b3670da145a96947b4e1f6a539393f29ee22b65432048b8e15bd4014b760ec73e4e63a7b80975706467a5b5 |
C:\Users\Admin\AppData\Roaming\Bloom\ffmpeg.dll
| MD5 | dd861e1e5a552fa88759b995d92a8c52 |
| SHA1 | c1e8ab9f6abc84ce46ea3ddadbf7c5f5b671776a |
| SHA256 | 09385bebc5b187013f61eadbbd78cc3ce57450f817ac015f80eeec088487e1a4 |
| SHA512 | 0ebc82b17fe04cedb97451183c6280fec3838bed8ed0944530ea025e7aa36dac73092d16a9b975094b2ac85b1184d2f985598bc1856776f1679303c0e4e6f42a |
C:\Users\Admin\AppData\Roaming\Bloom\ffmpeg.dll
| MD5 | dd861e1e5a552fa88759b995d92a8c52 |
| SHA1 | c1e8ab9f6abc84ce46ea3ddadbf7c5f5b671776a |
| SHA256 | 09385bebc5b187013f61eadbbd78cc3ce57450f817ac015f80eeec088487e1a4 |
| SHA512 | 0ebc82b17fe04cedb97451183c6280fec3838bed8ed0944530ea025e7aa36dac73092d16a9b975094b2ac85b1184d2f985598bc1856776f1679303c0e4e6f42a |
C:\Users\Admin\AppData\Roaming\Bloom\nw.dll
| MD5 | 3d2dadc029a8b5fc745a956c1a5ee568 |
| SHA1 | a353b0fec54f5c853109b175cea49893b72f539e |
| SHA256 | b756c3f4de49600d23f369718cad7eb8645f7ada1dfafc71f47c18e3e2c5aadd |
| SHA512 | c513823f9ffaaba52d90f0a7733274787cbc9f380b3670da145a96947b4e1f6a539393f29ee22b65432048b8e15bd4014b760ec73e4e63a7b80975706467a5b5 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:48
Platform
win7-20220311-en
Max time kernel
4294179s
Max time network
130s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Install.lnk
Network
Files
memory/852-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win10v2004-en-20220113
Max time kernel
222s
Max time network
280s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:50
Platform
win10v2004-20220310-en
Max time kernel
168s
Max time network
254s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3708 -ip 3708
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3708 -s 340
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:50
Platform
win10v2004-20220310-en
Max time kernel
163s
Max time network
265s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\node.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.225.205:443 | tcp | |
| NL | 84.53.175.107:80 | tcp | |
| NL | 84.53.175.107:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:48
Platform
win10v2004-20220310-en
Max time kernel
226s
Max time network
300s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Install.lnk
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win7-20220311-en
Max time kernel
4294181s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 1704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1672 wrote to memory of 1704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1672 wrote to memory of 1704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\d3dcompiler_47.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1672 -s 92
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win7-20220311-en
Max time kernel
4294361s
Max time network
319s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\node.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win7-20220311-en
Max time kernel
4294360s
Max time network
318s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1352 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1352 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1352 -s 204
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:50
Platform
win7-20220310-en
Max time kernel
4294343s
Max time network
319s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\ffmpeg.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2022-03-22 15:39
Reported
2022-03-22 15:49
Platform
win7-20220311-en
Max time kernel
4294362s
Max time network
319s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1824 wrote to memory of 588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1824 wrote to memory of 588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1824 wrote to memory of 588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1824 -s 92