Analysis Overview
SHA256
1a930e695cc45966c0ce1ad4ee6c2b2bf9e00cc9729b79d97a2da8fb8f78f8ee
Threat Level: Known bad
The file S0ftwarelnstaIIer.rar was found to be: Known bad.
Malicious Activity Summary
Aurora family
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-25 17:09
Signatures
Aurora family
Analysis: behavioral30
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
120s
Max time network
180s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launchera.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launchera.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launchera.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 572
Network
Files
memory/1936-120-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-121-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-122-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-123-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-125-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-126-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-127-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-124-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-130-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-131-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-129-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-134-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-133-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-135-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-137-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-139-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-141-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-143-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-145-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-147-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-148-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-146-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-149-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-150-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-152-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-153-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-151-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-144-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-154-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-156-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-155-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-142-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-158-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-157-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-140-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-138-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-136-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-132-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
memory/1936-128-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
121s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\system\getuser.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.4:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
31s
Max time network
103s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\7zci.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\7zci.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 624
Network
| Country | Destination | Domain | Proto |
| N/A | 51.11.192.48:443 | tcp | |
| N/A | 8.253.146.249:80 | tcp |
Files
memory/2648-120-0x0000000000000000-mapping.dmp
memory/2648-121-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-123-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-122-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-124-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-126-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-125-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-127-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-129-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-130-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-132-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-133-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-134-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-135-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-131-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-128-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-136-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-137-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-138-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-139-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-140-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-141-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-142-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-143-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-144-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-145-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-146-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-147-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-148-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-150-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-149-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-151-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-152-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-153-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-154-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-155-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-156-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-157-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-158-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-159-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-160-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-161-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-162-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2648-163-0x00000000778C0000-0x0000000077A4E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
47s
Max time network
59s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4112 wrote to memory of 3772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4112 wrote to memory of 3772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4112 wrote to memory of 3772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\ssl\libeay32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\ssl\libeay32.dll",#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.224.151.203:443 | tcp |
Files
memory/3772-118-0x0000000000000000-mapping.dmp
memory/3772-119-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-120-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-121-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-122-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-123-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-124-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-125-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-126-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-127-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-128-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-129-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-130-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-131-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-132-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-133-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-134-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-135-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-136-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-137-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-138-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-139-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-140-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-141-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-142-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-143-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-144-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-145-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-146-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-147-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-148-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-149-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-150-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-151-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-152-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-153-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-154-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-155-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-156-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-157-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-158-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-159-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-160-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-161-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-162-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-163-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/3772-164-0x0000000077890000-0x0000000077A1E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
136s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\files\redir64.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:13
Platform
win10-20220812-es
Max time kernel
44s
Max time network
65s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\dialogs\dlglist.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
122s
Max time network
178s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\dialogs\dlgtree.js"
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
119s
Max time network
181s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcher.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 572
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.4:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/2716-120-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-121-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-123-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-122-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-125-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-126-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-127-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-130-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-132-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-135-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-134-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-136-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-138-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-137-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-141-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-142-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-143-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-140-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-144-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-139-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-145-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-146-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-147-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-148-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-150-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-151-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-152-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-153-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-149-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-155-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-154-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-156-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-133-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-131-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-129-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-128-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-158-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-157-0x0000000077C80000-0x0000000077E0E000-memory.dmp
memory/2716-124-0x0000000077C80000-0x0000000077E0E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
41s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\files\calchash.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 2.16.119.157:443 | tcp | |
| N/A | 20.189.173.10:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
46s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\internet\download.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 51.105.71.137:443 | tcp | |
| N/A | 8.252.51.254:80 | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
47s
Max time network
75s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\sources\unpackfile.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 8.248.3.254:80 | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220901-es
Max time kernel
43s
Max time network
69s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\sources\unppmd.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\sources\unppmd.dll",#1
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.77.2:443 | tcp | |
| N/A | 51.104.15.253:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/2668-120-0x0000000000000000-mapping.dmp
memory/2668-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2668-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
45s
Max time network
75s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\files\fileinfo.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 8.248.3.254:80 | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:16
Platform
win10-20220812-es
Max time kernel
46s
Max time network
107s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2616 wrote to memory of 3824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2616 wrote to memory of 3824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2616 wrote to memory of 3824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\cab\cab2g.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\cab\cab2g.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 620
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp | |
| N/A | 52.109.8.45:443 | tcp |
Files
memory/3824-115-0x0000000000000000-mapping.dmp
memory/3824-116-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-117-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-118-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-119-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-120-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-121-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-122-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-123-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-125-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-124-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-126-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-127-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-128-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-129-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-130-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-131-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-132-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-134-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-133-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-135-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-137-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-136-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-138-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-139-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-140-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-141-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-142-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-143-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-144-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-145-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-146-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-147-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-148-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-149-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-150-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-151-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-152-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-153-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-154-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-155-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-156-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-157-0x0000000076F80000-0x000000007710E000-memory.dmp
memory/3824-158-0x0000000076F80000-0x000000007710E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220901-es
Max time kernel
41s
Max time network
82s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2012 wrote to memory of 3920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 3920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2012 wrote to memory of 3920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\citools.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\citools.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 668
Network
| Country | Destination | Domain | Proto |
| N/A | 20.123.141.233:443 | tcp | |
| N/A | 52.178.17.2:443 | tcp | |
| N/A | 96.16.53.137:80 | tcp |
Files
memory/3920-120-0x0000000000000000-mapping.dmp
memory/3920-121-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-122-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-124-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-123-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-125-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-126-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-127-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-128-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-129-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-130-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-131-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-132-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-133-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-134-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-135-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-136-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-137-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-138-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-140-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-141-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-139-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-142-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-144-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-143-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-145-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-147-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-148-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-150-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-149-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-146-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-153-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-155-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-156-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-157-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-158-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-154-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-152-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-160-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-159-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-162-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-161-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-164-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-163-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-165-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-151-0x00000000778B0000-0x0000000077A3E000-memory.dmp
memory/3920-166-0x00000000778B0000-0x0000000077A3E000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220901-es
Max time kernel
40s
Max time network
70s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\odbc\odbcquery.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.13.64:443 | tcp | |
| N/A | 20.189.173.3:443 | tcp | |
| N/A | 84.53.175.11:80 | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
41s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\sources\zipdecode.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.13.64:443 | tcp | |
| N/A | 2.16.119.157:443 | tcp | |
| N/A | 20.189.173.10:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
132s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\libstdc++-6.dll",#1
Network
| Country | Destination | Domain | Proto |
| N/A | 2.16.119.157:443 | tcp | |
| N/A | 20.189.173.4:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
44s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcherart.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcherart.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcherart.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 572
Network
| Country | Destination | Domain | Proto |
| N/A | 51.105.71.137:443 | tcp | |
| N/A | 8.252.51.254:80 | tcp |
Files
memory/2060-120-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-121-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-123-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-122-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-124-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-125-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-127-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-128-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-130-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-131-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-133-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-134-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-132-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-135-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-136-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-137-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-138-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-139-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-129-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-141-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-142-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-140-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-126-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-144-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-147-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-149-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-151-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-152-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-150-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-153-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-148-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-146-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-155-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-156-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-157-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-158-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-154-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-145-0x00000000771E0000-0x000000007736E000-memory.dmp
memory/2060-143-0x00000000771E0000-0x000000007736E000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
134s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\regobj\regdll.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 104.208.16.88:443 | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220901-es
Max time kernel
43s
Max time network
69s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\uninstall\rununinst.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 51.104.15.253:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
46s
Max time network
147s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\ftp\ftp.ps1"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.13.62:443 | tcp | |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp |
Files
memory/4464-119-0x000001E036CA0000-0x000001E036D22000-memory.dmp
memory/4464-120-0x000001E01E470000-0x000001E01E480000-memory.dmp
memory/4464-121-0x000001E036D30000-0x000001E036E32000-memory.dmp
memory/4464-122-0x000001E01E5E0000-0x000001E01E602000-memory.dmp
memory/4464-125-0x000001E036EC0000-0x000001E036F36000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
44s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\libsqlite3-0.dll",#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2616 -s 276
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.13.64:443 | tcp | |
| N/A | 104.208.16.88:443 | tcp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
136s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4012 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4012 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4012 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\EXELink.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\EXELink.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 628
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.13.62:443 | tcp | |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/3988-116-0x0000000000000000-mapping.dmp
memory/3988-117-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-118-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-119-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-120-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-121-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-122-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-123-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-124-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-125-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-126-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-127-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-128-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-129-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-130-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-131-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-132-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-133-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-134-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-135-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-136-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-137-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-138-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-139-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-140-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-141-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-142-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-143-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-144-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-145-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-146-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-147-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-148-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-149-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-150-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-151-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-152-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-153-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-154-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-155-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-156-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-157-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-158-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-159-0x0000000077380000-0x000000007750E000-memory.dmp
memory/3988-160-0x0000000077380000-0x000000007750E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220901-es
Max time kernel
39s
Max time network
53s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\files\search.js"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
132s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\prog\splitfor.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 2.16.119.157:443 | tcp | |
| N/A | 20.189.173.4:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220901-es
Max time kernel
38s
Max time network
70s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\regini\iniformat.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.178.17.2:443 | tcp | |
| N/A | 96.16.53.137:80 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
46s
Max time network
58s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\regini\regfor.js"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220901-es
Max time kernel
39s
Max time network
53s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2856 wrote to memory of 4512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2856 wrote to memory of 4512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2856 wrote to memory of 4512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\ssl\ssleay32.dll",#1
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\libs\ssl\ssleay32.dll",#1
Network
Files
memory/4512-120-0x0000000000000000-mapping.dmp
memory/4512-121-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-123-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-124-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-125-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-126-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-127-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-128-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-130-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-131-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-129-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-122-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-132-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-133-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-135-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-138-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-137-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-139-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-140-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-141-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-143-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-144-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-145-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-146-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-147-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-150-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-151-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-152-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-153-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-154-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-155-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-156-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-149-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-158-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-159-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-161-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-160-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-162-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-165-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-167-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-168-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-166-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-164-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-163-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-157-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-148-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-142-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-136-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
memory/4512-134-0x0000000077AD0000-0x0000000077C5E000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:18
Platform
win10-20220812-es
Max time kernel
38s
Max time network
63s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcherd.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\res\linker\launcherd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 51.11.192.48:443 | tcp | |
| N/A | 8.253.146.249:80 | tcp |
Files
memory/2364-120-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-121-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-123-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-124-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-122-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-126-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-125-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-128-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-131-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-130-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-133-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-132-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-134-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-129-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-135-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-136-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-137-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-139-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-141-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-140-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-143-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-145-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-146-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-149-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-148-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-151-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-150-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-147-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-153-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-155-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-154-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-156-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-152-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-144-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-157-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-142-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-158-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-138-0x00000000778C0000-0x0000000077A4E000-memory.dmp
memory/2364-127-0x00000000778C0000-0x0000000077A4E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220901-es
Max time kernel
40s
Max time network
70s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\application\wsh.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.3:443 | tcp | |
| N/A | 84.53.175.11:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-01-25 17:08
Reported
2023-01-25 17:15
Platform
win10-20220812-es
Max time kernel
44s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Privacy Рolicу\cmds\cmds\prog\for.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp |