Malware Analysis Report

2025-01-22 15:23

Sample ID 231220-tsvtgsccd5
Target e55a88e3912ddc2ff9d019b31067c9a4
SHA256 8672b7df4c0acc1b75dcd966588e97f33f64a866b410a3aa2becb615715ea70a
Tags
macro macro_on_action xlm
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8672b7df4c0acc1b75dcd966588e97f33f64a866b410a3aa2becb615715ea70a

Threat Level: Likely malicious

The file e55a88e3912ddc2ff9d019b31067c9a4 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action xlm

Office macro that triggers on suspicious action

Suspicious Office macro

Document created with cracked Office version

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-20 16:21

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Document created with cracked Office version

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:13

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2268 wrote to memory of 3224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2268 wrote to memory of 3224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3224 -ip 3224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3224-0-0x0000000002C40000-0x0000000002FA4000-memory.dmp

memory/3224-3-0x0000000001380000-0x000000000142E000-memory.dmp

memory/3224-2-0x00000000035F0000-0x00000000037B2000-memory.dmp

memory/3224-1-0x00000000032D0000-0x00000000035E3000-memory.dmp

memory/3224-5-0x0000000003AA0000-0x0000000003D7E000-memory.dmp

memory/3224-6-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

memory/3224-11-0x0000000003F30000-0x0000000003F66000-memory.dmp

memory/3224-10-0x0000000004010000-0x000000000413B000-memory.dmp

memory/3224-9-0x0000000003F70000-0x0000000004003000-memory.dmp

memory/3224-8-0x0000000001210000-0x000000000122F000-memory.dmp

memory/3224-12-0x0000000002FB0000-0x0000000003127000-memory.dmp

memory/3224-4-0x0000000001430000-0x000000000148B000-memory.dmp

memory/3224-7-0x0000000003D80000-0x0000000003F2C000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2860-0-0x0000000002CB0000-0x0000000002FC3000-memory.dmp

memory/2860-1-0x0000000002FD0000-0x0000000003192000-memory.dmp

memory/2860-2-0x00000000031A0000-0x000000000324E000-memory.dmp

memory/2860-5-0x0000000001320000-0x000000000137B000-memory.dmp

memory/2860-4-0x00000000035C0000-0x000000000389E000-memory.dmp

memory/2860-3-0x0000000003250000-0x00000000035B4000-memory.dmp

memory/2860-6-0x0000000001630000-0x0000000001666000-memory.dmp

memory/2860-7-0x00000000011F0000-0x000000000120C000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 3096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 384 wrote to memory of 3096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 384 wrote to memory of 3096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/3096-0-0x00000000023D0000-0x0000000002734000-memory.dmp

memory/3096-1-0x0000000002740000-0x0000000002A1E000-memory.dmp

memory/3096-3-0x0000000000D70000-0x0000000000F32000-memory.dmp

memory/3096-7-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

memory/3096-6-0x0000000000820000-0x000000000083C000-memory.dmp

memory/3096-5-0x0000000000F40000-0x0000000000F9B000-memory.dmp

memory/3096-4-0x0000000002D40000-0x0000000002DEE000-memory.dmp

memory/3096-2-0x0000000002A20000-0x0000000002D33000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3368 wrote to memory of 664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3368 wrote to memory of 664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 664 -ip 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/664-0-0x00000000029C0000-0x00000000034E1000-memory.dmp

memory/664-2-0x00000000034F0000-0x00000000037CE000-memory.dmp

memory/664-3-0x00000000037D0000-0x0000000003AE3000-memory.dmp

memory/664-4-0x0000000003E10000-0x0000000003FD2000-memory.dmp

memory/664-5-0x0000000003FE0000-0x000000000408E000-memory.dmp

memory/664-6-0x0000000002920000-0x000000000297B000-memory.dmp

memory/664-7-0x0000000004090000-0x000000000423C000-memory.dmp

memory/664-8-0x0000000004370000-0x000000000449B000-memory.dmp

memory/664-10-0x0000000001070000-0x000000000108C000-memory.dmp

memory/664-9-0x00000000044A0000-0x00000000044D6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

148s

Max time network

130s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 384

Network

N/A

Files

memory/2748-0-0x0000000001EB0000-0x0000000001FBB000-memory.dmp

memory/2748-1-0x0000000001FC0000-0x0000000002324000-memory.dmp

memory/2748-2-0x0000000002330000-0x000000000260E000-memory.dmp

memory/2748-3-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2748-4-0x0000000002610000-0x0000000002923000-memory.dmp

memory/2748-5-0x0000000002930000-0x0000000002AF2000-memory.dmp

memory/2748-6-0x0000000002B00000-0x0000000002BAE000-memory.dmp

memory/2748-7-0x00000000001B0000-0x00000000001E6000-memory.dmp

memory/2748-8-0x00000000002E0000-0x00000000002FC000-memory.dmp

memory/2748-9-0x0000000002BB0000-0x0000000002D5C000-memory.dmp

memory/2748-10-0x0000000002D60000-0x0000000002E8B000-memory.dmp

memory/2748-11-0x0000000002E90000-0x0000000002F23000-memory.dmp

memory/2748-12-0x0000000002F30000-0x00000000030A7000-memory.dmp

memory/2748-13-0x0000000001EB0000-0x0000000001FBB000-memory.dmp

memory/2748-14-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2748-15-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2748-17-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2748-16-0x0000000001FC0000-0x0000000002324000-memory.dmp

memory/2748-18-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2748-19-0x0000000002330000-0x000000000260E000-memory.dmp

memory/2748-20-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2748-21-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2748-22-0x0000000002610000-0x0000000002923000-memory.dmp

memory/2748-23-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2748-25-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2748-26-0x0000000002930000-0x0000000002AF2000-memory.dmp

memory/2748-28-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2748-27-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2748-29-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2748-24-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2748-30-0x0000000002B00000-0x0000000002BAE000-memory.dmp

memory/2748-31-0x00000000001B0000-0x00000000001E6000-memory.dmp

memory/2748-32-0x00000000002E0000-0x00000000002FC000-memory.dmp

memory/2748-35-0x0000000002E90000-0x0000000002F23000-memory.dmp

memory/2748-34-0x0000000002D60000-0x0000000002E8B000-memory.dmp

memory/2748-36-0x0000000002F30000-0x00000000030A7000-memory.dmp

memory/2748-33-0x0000000002BB0000-0x0000000002D5C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:13

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

161s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4504 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4504 wrote to memory of 1484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Accounting.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/1484-0-0x0000000002CB0000-0x0000000003014000-memory.dmp

memory/1484-2-0x0000000003020000-0x00000000032FE000-memory.dmp

memory/1484-4-0x0000000003B50000-0x0000000003E63000-memory.dmp

memory/1484-6-0x00000000041F0000-0x000000000439C000-memory.dmp

memory/1484-8-0x00000000044D0000-0x0000000004563000-memory.dmp

memory/1484-9-0x0000000004570000-0x00000000045A6000-memory.dmp

memory/1484-7-0x00000000043A0000-0x00000000044CB000-memory.dmp

memory/1484-5-0x0000000004190000-0x00000000041EB000-memory.dmp

memory/1484-3-0x0000000002BE0000-0x0000000002C8E000-memory.dmp

memory/1484-1-0x00000000035E0000-0x00000000037A2000-memory.dmp

memory/1484-11-0x0000000003300000-0x0000000003477000-memory.dmp

memory/1484-10-0x00000000010D0000-0x00000000010EC000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 444 wrote to memory of 4996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 444 wrote to memory of 4996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 444 wrote to memory of 4996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/4996-0-0x0000000000310000-0x000000000034C000-memory.dmp

memory/4996-1-0x0000000002130000-0x0000000002494000-memory.dmp

memory/4996-3-0x00000000024A0000-0x00000000027B3000-memory.dmp

memory/4996-2-0x00000000027C0000-0x0000000002982000-memory.dmp

memory/4996-5-0x0000000002E80000-0x0000000002EDB000-memory.dmp

memory/4996-4-0x0000000002990000-0x0000000002A3E000-memory.dmp

memory/4996-6-0x0000000002BA0000-0x0000000002E7E000-memory.dmp

memory/4996-7-0x0000000002EE0000-0x000000000308C000-memory.dmp

memory/4996-8-0x0000000003240000-0x0000000003276000-memory.dmp

memory/4996-9-0x0000000003280000-0x00000000033AB000-memory.dmp

memory/4996-10-0x0000000000240000-0x000000000025C000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

141s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 380

Network

N/A

Files

memory/2436-0-0x00000000004B0000-0x0000000000525000-memory.dmp

memory/2436-1-0x00000000025C0000-0x0000000002924000-memory.dmp

memory/2436-2-0x0000000002930000-0x0000000002C0E000-memory.dmp

memory/2436-3-0x00000000003B0000-0x000000000040B000-memory.dmp

memory/2436-4-0x0000000002C10000-0x0000000002F23000-memory.dmp

memory/2436-5-0x0000000001FD0000-0x0000000002192000-memory.dmp

memory/2436-9-0x0000000002F30000-0x00000000030DC000-memory.dmp

memory/2436-10-0x0000000000660000-0x000000000078B000-memory.dmp

memory/2436-8-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/2436-7-0x0000000000620000-0x0000000000656000-memory.dmp

memory/2436-6-0x0000000000530000-0x00000000005DE000-memory.dmp

memory/2436-11-0x00000000004B0000-0x0000000000525000-memory.dmp

memory/2436-12-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2436-13-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2436-14-0x00000000025C0000-0x0000000002924000-memory.dmp

memory/2436-15-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2436-16-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2436-17-0x0000000002930000-0x0000000002C0E000-memory.dmp

memory/2436-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2436-20-0x0000000002C10000-0x0000000002F23000-memory.dmp

memory/2436-21-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2436-25-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2436-32-0x0000000000660000-0x000000000078B000-memory.dmp

memory/2436-31-0x0000000002F30000-0x00000000030DC000-memory.dmp

memory/2436-30-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/2436-29-0x0000000000620000-0x0000000000656000-memory.dmp

memory/2436-28-0x0000000000530000-0x00000000005DE000-memory.dmp

memory/2436-27-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2436-26-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2436-24-0x0000000001FD0000-0x0000000002192000-memory.dmp

memory/2436-23-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2436-22-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2436-19-0x00000000003B0000-0x000000000040B000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win10v2004-20231215-en

Max time kernel

122s

Max time network

205s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 2616 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3868 wrote to memory of 2616 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3868 wrote to memory of 2616 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2616 -ip 2616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 808

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/2616-0-0x0000000002E90000-0x00000000031F4000-memory.dmp

memory/2616-1-0x00000000037C0000-0x0000000003A9E000-memory.dmp

memory/2616-2-0x0000000003DC0000-0x00000000040D3000-memory.dmp

memory/2616-6-0x00000000014D0000-0x00000000014EC000-memory.dmp

memory/2616-4-0x0000000004480000-0x000000000452E000-memory.dmp

memory/2616-5-0x0000000004530000-0x000000000458B000-memory.dmp

memory/2616-3-0x00000000042B0000-0x0000000004472000-memory.dmp

memory/2616-7-0x0000000003200000-0x0000000003236000-memory.dmp

memory/2616-8-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/2616-9-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2616-10-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2616-11-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2616-12-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2616-14-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2616-16-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2616-17-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2616-15-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2616-13-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2616-19-0x00000000037C0000-0x0000000003A9E000-memory.dmp

memory/2616-18-0x0000000002E90000-0x00000000031F4000-memory.dmp

memory/2616-20-0x0000000003DC0000-0x00000000040D3000-memory.dmp

memory/2616-21-0x00000000042B0000-0x0000000004472000-memory.dmp

memory/2616-23-0x0000000004530000-0x000000000458B000-memory.dmp

memory/2616-25-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2616-26-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2616-27-0x0000000003200000-0x0000000003236000-memory.dmp

memory/2616-24-0x00000000014D0000-0x00000000014EC000-memory.dmp

memory/2616-22-0x0000000004480000-0x000000000452E000-memory.dmp

memory/2616-29-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2616-59-0x00000000037C0000-0x0000000003A9E000-memory.dmp

memory/2616-60-0x0000000003DC0000-0x00000000040D3000-memory.dmp

memory/2616-61-0x00000000042B0000-0x0000000004472000-memory.dmp

memory/2616-63-0x0000000004530000-0x000000000458B000-memory.dmp

memory/2616-62-0x0000000004480000-0x000000000452E000-memory.dmp

memory/2616-64-0x00000000014D0000-0x00000000014EC000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1

Network

N/A

Files

memory/2028-0-0x0000000002340000-0x000000000261E000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

117s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4172 wrote to memory of 220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4172 wrote to memory of 220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\CapInvest.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 892

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/220-0-0x00000000029A0000-0x0000000002D04000-memory.dmp

memory/220-2-0x0000000002EE0000-0x00000000031F3000-memory.dmp

memory/220-3-0x0000000002800000-0x00000000028AE000-memory.dmp

memory/220-5-0x0000000003200000-0x00000000034DE000-memory.dmp

memory/220-6-0x0000000003690000-0x000000000383C000-memory.dmp

memory/220-7-0x0000000002910000-0x0000000002946000-memory.dmp

memory/220-4-0x00000000028B0000-0x000000000290B000-memory.dmp

memory/220-9-0x0000000000FC0000-0x0000000000FDC000-memory.dmp

memory/220-8-0x0000000003840000-0x000000000396B000-memory.dmp

memory/220-1-0x0000000002D10000-0x0000000002ED2000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win10v2004-20231215-en

Max time kernel

122s

Max time network

211s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 3836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3404 wrote to memory of 3836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3404 wrote to memory of 3836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 780

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3836-0-0x00000000029B0000-0x0000000002D14000-memory.dmp

memory/3836-1-0x0000000003000000-0x00000000032DE000-memory.dmp

memory/3836-2-0x00000000032E0000-0x00000000034A2000-memory.dmp

memory/3836-5-0x0000000003C50000-0x0000000003CAB000-memory.dmp

memory/3836-4-0x0000000003AF0000-0x0000000003B9E000-memory.dmp

memory/3836-3-0x00000000037D0000-0x0000000003AE3000-memory.dmp

memory/3836-7-0x0000000004010000-0x00000000041BC000-memory.dmp

memory/3836-8-0x00000000042F0000-0x0000000004326000-memory.dmp

memory/3836-6-0x00000000041C0000-0x00000000042EB000-memory.dmp

memory/3836-9-0x0000000000ED0000-0x0000000000EEC000-memory.dmp

memory/3836-10-0x0000000000400000-0x0000000000546000-memory.dmp

memory/3836-11-0x0000000050050000-0x000000005064A000-memory.dmp

memory/3836-12-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/3836-13-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/3836-15-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/3836-18-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/3836-17-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/3836-19-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/3836-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/3836-14-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/3836-20-0x00000000029B0000-0x0000000002D14000-memory.dmp

memory/3836-21-0x0000000003000000-0x00000000032DE000-memory.dmp

memory/3836-23-0x00000000037D0000-0x0000000003AE3000-memory.dmp

memory/3836-22-0x00000000032E0000-0x00000000034A2000-memory.dmp

memory/3836-24-0x0000000003AF0000-0x0000000003B9E000-memory.dmp

memory/3836-25-0x0000000003C50000-0x0000000003CAB000-memory.dmp

memory/3836-26-0x0000000004010000-0x00000000041BC000-memory.dmp

memory/3836-28-0x00000000042F0000-0x0000000004326000-memory.dmp

memory/3836-30-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/3836-31-0x0000000000ED0000-0x0000000000EEC000-memory.dmp

memory/3836-29-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/3836-27-0x00000000041C0000-0x00000000042EB000-memory.dmp

memory/3836-33-0x0000000050050000-0x000000005064A000-memory.dmp

memory/3836-42-0x00000000029B0000-0x0000000002D14000-memory.dmp

memory/3836-43-0x0000000003000000-0x00000000032DE000-memory.dmp

memory/3836-44-0x00000000032E0000-0x00000000034A2000-memory.dmp

memory/3836-45-0x00000000037D0000-0x0000000003AE3000-memory.dmp

memory/3836-46-0x0000000003AF0000-0x0000000003B9E000-memory.dmp

memory/3836-47-0x0000000003C50000-0x0000000003CAB000-memory.dmp

memory/3836-48-0x0000000004010000-0x00000000041BC000-memory.dmp

memory/3836-50-0x00000000042F0000-0x0000000004326000-memory.dmp

memory/3836-53-0x0000000000ED0000-0x0000000000EEC000-memory.dmp

memory/3836-54-0x0000000000400000-0x0000000000546000-memory.dmp

memory/3836-55-0x0000000050050000-0x000000005064A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231129-en

Max time kernel

142s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Analysis.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 380

Network

N/A

Files

memory/3004-0-0x0000000001F40000-0x0000000002012000-memory.dmp

memory/3004-1-0x0000000002500000-0x0000000002864000-memory.dmp

memory/3004-2-0x0000000002870000-0x0000000002B4E000-memory.dmp

memory/3004-3-0x00000000001C0000-0x000000000021B000-memory.dmp

memory/3004-4-0x0000000002B50000-0x0000000002E63000-memory.dmp

memory/3004-5-0x0000000002E70000-0x0000000003032000-memory.dmp

memory/3004-6-0x0000000000270000-0x000000000031E000-memory.dmp

memory/3004-8-0x0000000000190000-0x00000000001AC000-memory.dmp

memory/3004-9-0x0000000003040000-0x00000000031EC000-memory.dmp

memory/3004-7-0x0000000000330000-0x0000000000366000-memory.dmp

memory/3004-10-0x00000000031F0000-0x000000000331B000-memory.dmp

memory/3004-11-0x0000000000A70000-0x0000000000B03000-memory.dmp

memory/3004-13-0x0000000000370000-0x000000000038F000-memory.dmp

memory/3004-12-0x0000000003320000-0x0000000003497000-memory.dmp

memory/3004-14-0x0000000001F40000-0x0000000002012000-memory.dmp

memory/3004-16-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/3004-20-0x0000000002870000-0x0000000002B4E000-memory.dmp

memory/3004-19-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/3004-18-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/3004-17-0x0000000002500000-0x0000000002864000-memory.dmp

memory/3004-15-0x0000000050050000-0x000000005064A000-memory.dmp

memory/3004-22-0x00000000001C0000-0x000000000021B000-memory.dmp

memory/3004-28-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/3004-29-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/3004-30-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/3004-34-0x0000000003040000-0x00000000031EC000-memory.dmp

memory/3004-37-0x0000000003320000-0x0000000003497000-memory.dmp

memory/3004-36-0x0000000000A70000-0x0000000000B03000-memory.dmp

memory/3004-38-0x0000000000370000-0x000000000038F000-memory.dmp

memory/3004-35-0x00000000031F0000-0x000000000331B000-memory.dmp

memory/3004-33-0x0000000000190000-0x00000000001AC000-memory.dmp

memory/3004-32-0x0000000000330000-0x0000000000366000-memory.dmp

memory/3004-31-0x0000000000270000-0x000000000031E000-memory.dmp

memory/3004-27-0x0000000002E70000-0x0000000003032000-memory.dmp

memory/3004-26-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/3004-25-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/3004-24-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/3004-23-0x0000000002B50000-0x0000000002E63000-memory.dmp

memory/3004-21-0x0000000050D90000-0x0000000050FDE000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:13

Platform

win7-20231215-en

Max time kernel

118s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1

Network

N/A

Files

memory/2716-0-0x00000000001D0000-0x00000000001EF000-memory.dmp

memory/2716-1-0x00000000020A0000-0x000000000237E000-memory.dmp

memory/2716-2-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/2716-3-0x0000000002380000-0x0000000002693000-memory.dmp

memory/2716-4-0x0000000000A00000-0x0000000000BC2000-memory.dmp

memory/2716-5-0x0000000000460000-0x000000000050E000-memory.dmp

memory/2716-6-0x00000000002C0000-0x00000000002F6000-memory.dmp

memory/2716-7-0x00000000026A0000-0x0000000002A04000-memory.dmp

memory/2716-8-0x00000000001F0000-0x000000000020C000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

141s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Azk2DocFlow.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 380

Network

N/A

Files

memory/2324-0-0x00000000001F0000-0x000000000022C000-memory.dmp

memory/2324-1-0x0000000002270000-0x00000000025D4000-memory.dmp

memory/2324-2-0x00000000025E0000-0x00000000028BE000-memory.dmp

memory/2324-3-0x0000000000270000-0x00000000002CB000-memory.dmp

memory/2324-4-0x00000000028C0000-0x0000000002BD3000-memory.dmp

memory/2324-5-0x0000000002BE0000-0x0000000002DA2000-memory.dmp

memory/2324-6-0x0000000002DB0000-0x0000000002E5E000-memory.dmp

memory/2324-7-0x00000000002D0000-0x0000000000306000-memory.dmp

memory/2324-8-0x0000000000310000-0x000000000032C000-memory.dmp

memory/2324-9-0x0000000002E60000-0x000000000300C000-memory.dmp

memory/2324-10-0x0000000003010000-0x000000000313B000-memory.dmp

memory/2324-11-0x00000000001F0000-0x000000000022C000-memory.dmp

memory/2324-12-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2324-17-0x00000000025E0000-0x00000000028BE000-memory.dmp

memory/2324-16-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2324-15-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2324-14-0x0000000002270000-0x00000000025D4000-memory.dmp

memory/2324-13-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2324-25-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2324-24-0x0000000002BE0000-0x0000000002DA2000-memory.dmp

memory/2324-23-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2324-31-0x0000000002E60000-0x000000000300C000-memory.dmp

memory/2324-30-0x0000000000310000-0x000000000032C000-memory.dmp

memory/2324-32-0x0000000003010000-0x000000000313B000-memory.dmp

memory/2324-29-0x00000000002D0000-0x0000000000306000-memory.dmp

memory/2324-28-0x0000000002DB0000-0x0000000002E5E000-memory.dmp

memory/2324-27-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2324-26-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2324-22-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2324-21-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2324-20-0x00000000028C0000-0x0000000002BD3000-memory.dmp

memory/2324-19-0x0000000000270000-0x00000000002CB000-memory.dmp

memory/2324-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win7-20231215-en

Max time kernel

165s

Max time network

133s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 384

Network

N/A

Files

memory/2760-0-0x0000000001FF0000-0x0000000002162000-memory.dmp

memory/2760-1-0x0000000002170000-0x00000000024D4000-memory.dmp

memory/2760-2-0x00000000024E0000-0x00000000027BE000-memory.dmp

memory/2760-3-0x0000000000210000-0x000000000026B000-memory.dmp

memory/2760-4-0x00000000027C0000-0x0000000002AD3000-memory.dmp

memory/2760-6-0x0000000001F00000-0x0000000001FAE000-memory.dmp

memory/2760-5-0x0000000002AE0000-0x0000000002CA2000-memory.dmp

memory/2760-8-0x00000000001B0000-0x00000000001CC000-memory.dmp

memory/2760-10-0x0000000000270000-0x000000000028A000-memory.dmp

memory/2760-11-0x00000000002D0000-0x0000000000325000-memory.dmp

memory/2760-12-0x0000000002E60000-0x0000000002F8B000-memory.dmp

memory/2760-9-0x0000000002CB0000-0x0000000002E5C000-memory.dmp

memory/2760-7-0x0000000000130000-0x0000000000166000-memory.dmp

memory/2760-13-0x0000000001FF0000-0x0000000002162000-memory.dmp

memory/2760-14-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2760-16-0x0000000002170000-0x00000000024D4000-memory.dmp

memory/2760-17-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2760-15-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2760-18-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2760-19-0x00000000024E0000-0x00000000027BE000-memory.dmp

memory/2760-20-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2760-25-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2760-24-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2760-27-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2760-26-0x0000000002AE0000-0x0000000002CA2000-memory.dmp

memory/2760-28-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2760-23-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2760-22-0x00000000027C0000-0x0000000002AD3000-memory.dmp

memory/2760-21-0x0000000000210000-0x000000000026B000-memory.dmp

memory/2760-29-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2760-35-0x00000000002D0000-0x0000000000325000-memory.dmp

memory/2760-37-0x0000000002E60000-0x0000000002F8B000-memory.dmp

memory/2760-36-0x0000000021830000-0x00000000218A6000-memory.dmp

memory/2760-34-0x0000000000270000-0x000000000028A000-memory.dmp

memory/2760-33-0x0000000002CB0000-0x0000000002E5C000-memory.dmp

memory/2760-32-0x00000000001B0000-0x00000000001CC000-memory.dmp

memory/2760-31-0x0000000000130000-0x0000000000166000-memory.dmp

memory/2760-30-0x0000000001F00000-0x0000000001FAE000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

199s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID\ = "BFTLib.SimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID\ = "BFTLib.BFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\ = "BFT Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ = "SimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ = "BFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\ = "BFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid\ = "{843E098B-5D52-45EF-954D-23140B414ADD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid\ = "{244636BF-CD77-4AE0-9615-92B526B9EA1E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\ = "SimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 1800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 1800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4780 wrote to memory of 1800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/1800-0-0x0000000002640000-0x0000000002802000-memory.dmp

memory/1800-2-0x0000000002810000-0x0000000002B23000-memory.dmp

memory/1800-1-0x0000000002B30000-0x0000000002BDE000-memory.dmp

memory/1800-3-0x0000000003480000-0x00000000037E4000-memory.dmp

memory/1800-4-0x00000000031A0000-0x000000000347E000-memory.dmp

memory/1800-5-0x0000000003AD0000-0x0000000003B2B000-memory.dmp

memory/1800-6-0x0000000002BE0000-0x0000000002C16000-memory.dmp

memory/1800-7-0x0000000000D50000-0x0000000000D6C000-memory.dmp

memory/1800-8-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1800-9-0x0000000050050000-0x000000005064A000-memory.dmp

memory/1800-10-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/1800-11-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/1800-12-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/1800-13-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/1800-14-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/1800-15-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/1800-16-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/1800-17-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/1800-18-0x0000000002640000-0x0000000002802000-memory.dmp

memory/1800-19-0x0000000002810000-0x0000000002B23000-memory.dmp

memory/1800-22-0x0000000003480000-0x00000000037E4000-memory.dmp

memory/1800-21-0x00000000031A0000-0x000000000347E000-memory.dmp

memory/1800-24-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/1800-26-0x0000000002BE0000-0x0000000002C16000-memory.dmp

memory/1800-25-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/1800-27-0x0000000000D50000-0x0000000000D6C000-memory.dmp

memory/1800-23-0x0000000003AD0000-0x0000000003B2B000-memory.dmp

memory/1800-20-0x0000000002B30000-0x0000000002BDE000-memory.dmp

memory/1800-51-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/1800-52-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/1800-53-0x00000000513F0000-0x0000000051456000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

163s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 3392 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1964 wrote to memory of 3392 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1964 wrote to memory of 3392 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 972

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

memory/3392-0-0x00000000024C0000-0x0000000002824000-memory.dmp

memory/3392-2-0x0000000002830000-0x0000000002B0E000-memory.dmp

memory/3392-7-0x0000000003000000-0x00000000031AC000-memory.dmp

memory/3392-6-0x0000000003360000-0x0000000003396000-memory.dmp

memory/3392-5-0x0000000000CB0000-0x0000000000D0B000-memory.dmp

memory/3392-4-0x0000000000BF0000-0x0000000000C9E000-memory.dmp

memory/3392-3-0x0000000002B10000-0x0000000002E23000-memory.dmp

memory/3392-1-0x0000000002E30000-0x0000000002FF2000-memory.dmp

memory/3392-8-0x0000000000960000-0x000000000097C000-memory.dmp

memory/3392-9-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3392-10-0x0000000050050000-0x000000005064A000-memory.dmp

memory/3392-11-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/3392-12-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/3392-13-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/3392-14-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/3392-15-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/3392-16-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/3392-17-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/3392-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/3392-19-0x00000000024C0000-0x0000000002824000-memory.dmp

memory/3392-20-0x0000000002830000-0x0000000002B0E000-memory.dmp

memory/3392-21-0x0000000002E30000-0x0000000002FF2000-memory.dmp

memory/3392-22-0x0000000002B10000-0x0000000002E23000-memory.dmp

memory/3392-23-0x0000000000BF0000-0x0000000000C9E000-memory.dmp

memory/3392-25-0x0000000003000000-0x00000000031AC000-memory.dmp

memory/3392-24-0x0000000000CB0000-0x0000000000D0B000-memory.dmp

memory/3392-26-0x0000000003360000-0x0000000003396000-memory.dmp

memory/3392-27-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/3392-29-0x0000000000960000-0x000000000097C000-memory.dmp

memory/3392-28-0x0000000050FE0000-0x0000000051027000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win7-20231215-en

Max time kernel

46s

Max time network

48s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\ClientPack.dll,#1

Network

N/A

Files

memory/2592-0-0x0000000001F80000-0x00000000022E4000-memory.dmp

memory/2592-1-0x00000000022F0000-0x00000000025CE000-memory.dmp

memory/2592-2-0x0000000000160000-0x00000000001BB000-memory.dmp

memory/2592-3-0x00000000025D0000-0x00000000028E3000-memory.dmp

memory/2592-4-0x00000000028F0000-0x0000000002AB2000-memory.dmp

memory/2592-5-0x0000000000280000-0x000000000032E000-memory.dmp

memory/2592-6-0x0000000000470000-0x00000000004A6000-memory.dmp

memory/2592-7-0x0000000000340000-0x000000000035C000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win7-20231215-en

Max time kernel

160s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Credits.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 384

Network

N/A

Files

memory/2420-0-0x0000000001EF0000-0x0000000002036000-memory.dmp

memory/2420-1-0x00000000020E0000-0x0000000002444000-memory.dmp

memory/2420-2-0x0000000002450000-0x000000000272E000-memory.dmp

memory/2420-3-0x0000000000170000-0x00000000001CB000-memory.dmp

memory/2420-4-0x0000000002730000-0x0000000002A43000-memory.dmp

memory/2420-5-0x0000000002A50000-0x0000000002C12000-memory.dmp

memory/2420-6-0x0000000000220000-0x00000000002CE000-memory.dmp

memory/2420-7-0x0000000000590000-0x00000000005C6000-memory.dmp

memory/2420-9-0x0000000002C20000-0x0000000002DCC000-memory.dmp

memory/2420-8-0x00000000002D0000-0x00000000002EC000-memory.dmp

memory/2420-10-0x0000000002DD0000-0x0000000002EFB000-memory.dmp

memory/2420-11-0x0000000001EF0000-0x0000000002036000-memory.dmp

memory/2420-12-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2420-13-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2420-14-0x00000000020E0000-0x0000000002444000-memory.dmp

memory/2420-15-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2420-16-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2420-17-0x0000000002450000-0x000000000272E000-memory.dmp

memory/2420-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2420-19-0x0000000000170000-0x00000000001CB000-memory.dmp

memory/2420-23-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2420-22-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2420-27-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2420-29-0x0000000000590000-0x00000000005C6000-memory.dmp

memory/2420-31-0x0000000002C20000-0x0000000002DCC000-memory.dmp

memory/2420-30-0x00000000002D0000-0x00000000002EC000-memory.dmp

memory/2420-28-0x0000000000220000-0x00000000002CE000-memory.dmp

memory/2420-26-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2420-25-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2420-24-0x0000000002A50000-0x0000000002C12000-memory.dmp

memory/2420-21-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2420-20-0x0000000002730000-0x0000000002A43000-memory.dmp

memory/2420-32-0x0000000002DD0000-0x0000000002EFB000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

199s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2608 wrote to memory of 2904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2608 wrote to memory of 2904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2608 wrote to memory of 2904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Azk2Kernel.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/2904-1-0x0000000002ED0000-0x0000000003092000-memory.dmp

memory/2904-0-0x0000000002880000-0x0000000002BE4000-memory.dmp

memory/2904-4-0x0000000003270000-0x0000000003583000-memory.dmp

memory/2904-3-0x0000000003590000-0x000000000363E000-memory.dmp

memory/2904-5-0x0000000003640000-0x000000000369B000-memory.dmp

memory/2904-2-0x0000000002BF0000-0x0000000002ECE000-memory.dmp

memory/2904-6-0x0000000000E50000-0x0000000000E6A000-memory.dmp

memory/2904-7-0x0000000003850000-0x00000000039FC000-memory.dmp

memory/2904-8-0x0000000003BB0000-0x0000000003C05000-memory.dmp

memory/2904-9-0x0000000003C10000-0x0000000003C46000-memory.dmp

memory/2904-10-0x0000000003C50000-0x0000000003D7B000-memory.dmp

memory/2904-11-0x0000000001000000-0x000000000101C000-memory.dmp

memory/2904-12-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2904-13-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2904-14-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2904-15-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2904-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2904-18-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2904-17-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2904-19-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2904-20-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2904-22-0x0000000021830000-0x00000000218A6000-memory.dmp

memory/2904-21-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2904-23-0x0000000002880000-0x0000000002BE4000-memory.dmp

memory/2904-24-0x0000000002BF0000-0x0000000002ECE000-memory.dmp

memory/2904-25-0x0000000002ED0000-0x0000000003092000-memory.dmp

memory/2904-26-0x0000000003270000-0x0000000003583000-memory.dmp

memory/2904-29-0x0000000003850000-0x00000000039FC000-memory.dmp

memory/2904-28-0x0000000003640000-0x000000000369B000-memory.dmp

memory/2904-30-0x0000000000E50000-0x0000000000E6A000-memory.dmp

memory/2904-27-0x0000000003590000-0x000000000363E000-memory.dmp

memory/2904-31-0x0000000003BB0000-0x0000000003C05000-memory.dmp

memory/2904-32-0x0000000003C50000-0x0000000003D7B000-memory.dmp

memory/2904-34-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2904-33-0x0000000003C10000-0x0000000003C46000-memory.dmp

memory/2904-35-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2904-36-0x0000000001000000-0x000000000101C000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

146s

Max time network

131s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Expense.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 384

Network

N/A

Files

memory/1104-0-0x0000000001F30000-0x0000000002A51000-memory.dmp

memory/1104-2-0x0000000002A60000-0x0000000002DC4000-memory.dmp

memory/1104-3-0x0000000002DD0000-0x00000000030AE000-memory.dmp

memory/1104-4-0x0000000000890000-0x00000000008EB000-memory.dmp

memory/1104-5-0x00000000030B0000-0x00000000033C3000-memory.dmp

memory/1104-6-0x00000000033D0000-0x0000000003592000-memory.dmp

memory/1104-7-0x00000000008F0000-0x000000000099E000-memory.dmp

memory/1104-8-0x00000000009A0000-0x00000000009D6000-memory.dmp

memory/1104-9-0x0000000000170000-0x000000000018C000-memory.dmp

memory/1104-10-0x00000000035A0000-0x000000000374C000-memory.dmp

memory/1104-11-0x0000000003750000-0x000000000387B000-memory.dmp

memory/1104-12-0x0000000001F30000-0x0000000002A51000-memory.dmp

memory/1104-13-0x0000000050050000-0x000000005064A000-memory.dmp

memory/1104-14-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/1104-15-0x0000000002A60000-0x0000000002DC4000-memory.dmp

memory/1104-16-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/1104-17-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/1104-18-0x0000000002DD0000-0x00000000030AE000-memory.dmp

memory/1104-19-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/1104-20-0x0000000000890000-0x00000000008EB000-memory.dmp

memory/1104-21-0x00000000030B0000-0x00000000033C3000-memory.dmp

memory/1104-22-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/1104-23-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/1104-24-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/1104-25-0x00000000033D0000-0x0000000003592000-memory.dmp

memory/1104-26-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/1104-27-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/1104-28-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/1104-29-0x00000000008F0000-0x000000000099E000-memory.dmp

memory/1104-30-0x00000000009A0000-0x00000000009D6000-memory.dmp

memory/1104-31-0x0000000000170000-0x000000000018C000-memory.dmp

memory/1104-32-0x00000000035A0000-0x000000000374C000-memory.dmp

memory/1104-33-0x0000000003750000-0x000000000387B000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 440 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 440 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\AnalysisPack.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4792-0-0x0000000002660000-0x000000000293E000-memory.dmp

memory/4792-3-0x0000000003150000-0x00000000031FE000-memory.dmp

memory/4792-2-0x0000000002F80000-0x0000000003142000-memory.dmp

memory/4792-4-0x0000000003200000-0x000000000325B000-memory.dmp

memory/4792-1-0x0000000002C60000-0x0000000002F73000-memory.dmp

memory/4792-5-0x0000000003260000-0x00000000035C4000-memory.dmp

memory/4792-7-0x0000000000E60000-0x0000000000E7C000-memory.dmp

memory/4792-6-0x0000000002940000-0x0000000002976000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win7-20231215-en

Max time kernel

150s

Max time network

41s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\Asset.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 384

Network

N/A

Files

memory/2736-0-0x0000000001F10000-0x0000000002274000-memory.dmp

memory/2736-1-0x0000000002280000-0x000000000255E000-memory.dmp

memory/2736-2-0x00000000007D0000-0x000000000082B000-memory.dmp

memory/2736-3-0x0000000002560000-0x0000000002873000-memory.dmp

memory/2736-4-0x0000000002880000-0x0000000002A42000-memory.dmp

memory/2736-5-0x0000000002A50000-0x0000000002AFE000-memory.dmp

memory/2736-6-0x00000000001E0000-0x0000000000216000-memory.dmp

memory/2736-7-0x0000000000170000-0x000000000018C000-memory.dmp

memory/2736-8-0x0000000002B00000-0x0000000002CAC000-memory.dmp

memory/2736-9-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2736-10-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2736-11-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2736-12-0x0000000001F10000-0x0000000002274000-memory.dmp

memory/2736-13-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2736-14-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2736-15-0x0000000002280000-0x000000000255E000-memory.dmp

memory/2736-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2736-17-0x00000000007D0000-0x000000000082B000-memory.dmp

memory/2736-18-0x0000000002560000-0x0000000002873000-memory.dmp

memory/2736-19-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2736-20-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2736-21-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2736-22-0x0000000002880000-0x0000000002A42000-memory.dmp

memory/2736-23-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2736-24-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2736-25-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2736-26-0x0000000002A50000-0x0000000002AFE000-memory.dmp

memory/2736-27-0x00000000001E0000-0x0000000000216000-memory.dmp

memory/2736-28-0x0000000000170000-0x000000000018C000-memory.dmp

memory/2736-29-0x0000000002B00000-0x0000000002CAC000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win7-20231215-en

Max time kernel

118s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid\ = "{244636BF-CD77-4AE0-9615-92B526B9EA1E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid\ = "{843E098B-5D52-45EF-954D-23140B414ADD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ = "BFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ = "ISimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID\ = "BFTLib.BFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\BFTLib.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ = "IBFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ = "SimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\client\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\ = "SimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.BFTSignedData\ = "BFTSignedData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0\ = "BFT Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\ProgID\ = "BFTLib.SimpleSigner" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570}\TypeLib\ = "{D5A40E8F-D442-4107-B691-F49E732E2E7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFTLib.SimpleSigner\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{244636BF-CD77-4AE0-9615-92B526B9EA1E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13F3B907-5464-48C4-B646-34073B18632F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCBF8FB1-0BE1-4C76-8142-CCBFCFF12570} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843E098B-5D52-45EF-954D-23140B414ADD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5A40E8F-D442-4107-B691-F49E732E2E7E}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\BFTLib.dll

Network

N/A

Files

memory/2224-0-0x0000000000810000-0x0000000000886000-memory.dmp

memory/2224-1-0x0000000001D80000-0x0000000002093000-memory.dmp

memory/2224-2-0x00000000020A0000-0x0000000002262000-memory.dmp

memory/2224-3-0x0000000002270000-0x000000000254E000-memory.dmp

memory/2224-4-0x0000000002550000-0x00000000025AB000-memory.dmp

memory/2224-5-0x00000000025B0000-0x000000000265E000-memory.dmp

memory/2224-6-0x0000000000780000-0x00000000007B6000-memory.dmp

memory/2224-7-0x0000000002660000-0x00000000029C4000-memory.dmp

memory/2224-8-0x00000000029D0000-0x00000000029EC000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win10v2004-20231215-en

Max time kernel

118s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4608 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4608 wrote to memory of 956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\BftCryptoApiAdapter32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 956 -ip 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win7-20231215-en

Max time kernel

181s

Max time network

142s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll

Signatures

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\client\DocFlow.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 384

Network

N/A

Files

memory/2764-0-0x0000000001FB0000-0x0000000002089000-memory.dmp

memory/2764-1-0x0000000002160000-0x00000000024C4000-memory.dmp

memory/2764-2-0x00000000024D0000-0x00000000027AE000-memory.dmp

memory/2764-3-0x0000000000200000-0x000000000025B000-memory.dmp

memory/2764-4-0x00000000027B0000-0x0000000002AC3000-memory.dmp

memory/2764-5-0x0000000002AD0000-0x0000000002C92000-memory.dmp

memory/2764-6-0x0000000000940000-0x00000000009EE000-memory.dmp

memory/2764-7-0x0000000000310000-0x0000000000346000-memory.dmp

memory/2764-8-0x0000000000130000-0x000000000014C000-memory.dmp

memory/2764-9-0x0000000001FB0000-0x0000000002089000-memory.dmp

memory/2764-10-0x0000000050050000-0x000000005064A000-memory.dmp

memory/2764-11-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/2764-12-0x0000000002160000-0x00000000024C4000-memory.dmp

memory/2764-14-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/2764-13-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/2764-15-0x00000000024D0000-0x00000000027AE000-memory.dmp

memory/2764-16-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/2764-18-0x00000000027B0000-0x0000000002AC3000-memory.dmp

memory/2764-17-0x0000000000200000-0x000000000025B000-memory.dmp

memory/2764-19-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/2764-20-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/2764-21-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/2764-22-0x0000000002AD0000-0x0000000002C92000-memory.dmp

memory/2764-23-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/2764-24-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/2764-26-0x0000000000940000-0x00000000009EE000-memory.dmp

memory/2764-25-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/2764-27-0x0000000000310000-0x0000000000346000-memory.dmp

memory/2764-28-0x0000000000130000-0x000000000014C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win7-20231215-en

Max time kernel

122s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ClientPack.dll,#1

Network

N/A

Files

memory/2848-0-0x0000000001FD0000-0x000000000217C000-memory.dmp

memory/2848-1-0x0000000002180000-0x0000000002493000-memory.dmp

memory/2848-3-0x0000000002670000-0x000000000294E000-memory.dmp

memory/2848-2-0x00000000024A0000-0x0000000002662000-memory.dmp

memory/2848-4-0x00000000003A0000-0x00000000003FB000-memory.dmp

memory/2848-5-0x0000000000450000-0x00000000004FE000-memory.dmp

memory/2848-6-0x0000000002950000-0x0000000002CB4000-memory.dmp

memory/2848-7-0x0000000000130000-0x000000000014C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:14

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1

Network

N/A

Files

memory/2224-9-0x0000000002D10000-0x0000000002EBC000-memory.dmp

memory/2224-8-0x00000000001D0000-0x00000000001EC000-memory.dmp

memory/2224-7-0x00000000029A0000-0x0000000002D04000-memory.dmp

memory/2224-6-0x0000000000180000-0x00000000001B6000-memory.dmp

memory/2224-5-0x00000000028F0000-0x000000000299E000-memory.dmp

memory/2224-4-0x0000000002720000-0x00000000028E2000-memory.dmp

memory/2224-3-0x0000000002400000-0x0000000002713000-memory.dmp

memory/2224-2-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/2224-1-0x0000000002120000-0x00000000023FE000-memory.dmp

memory/2224-0-0x0000000001F60000-0x000000000208B000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:16

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

206s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Azk2ExpensePack.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/792-0-0x0000000002D90000-0x000000000306E000-memory.dmp

memory/792-2-0x0000000003390000-0x0000000003552000-memory.dmp

memory/792-1-0x0000000003070000-0x0000000003383000-memory.dmp

memory/792-5-0x0000000001570000-0x00000000015CB000-memory.dmp

memory/792-4-0x00000000036C0000-0x0000000003A24000-memory.dmp

memory/792-6-0x0000000003A30000-0x0000000003BDC000-memory.dmp

memory/792-3-0x0000000003610000-0x00000000036BE000-memory.dmp

memory/792-7-0x0000000003BE0000-0x0000000003C16000-memory.dmp

memory/792-8-0x0000000003560000-0x000000000357C000-memory.dmp

memory/792-9-0x0000000000400000-0x000000000052B000-memory.dmp

memory/792-10-0x0000000050050000-0x000000005064A000-memory.dmp

memory/792-11-0x0000000050650000-0x0000000050A0E000-memory.dmp

memory/792-12-0x0000000050CF0000-0x0000000050D8C000-memory.dmp

memory/792-14-0x0000000050A10000-0x0000000050A56000-memory.dmp

memory/792-13-0x00000000513F0000-0x0000000051456000-memory.dmp

memory/792-15-0x0000000051350000-0x00000000513A1000-memory.dmp

memory/792-16-0x00000000510C0000-0x0000000051346000-memory.dmp

memory/792-18-0x0000000050D90000-0x0000000050FDE000-memory.dmp

memory/792-17-0x0000000051050000-0x00000000510B9000-memory.dmp

memory/792-19-0x0000000002D90000-0x000000000306E000-memory.dmp

memory/792-20-0x0000000003070000-0x0000000003383000-memory.dmp

memory/792-21-0x0000000003390000-0x0000000003552000-memory.dmp

memory/792-22-0x0000000003610000-0x00000000036BE000-memory.dmp

memory/792-23-0x00000000036C0000-0x0000000003A24000-memory.dmp

memory/792-24-0x0000000001570000-0x00000000015CB000-memory.dmp

memory/792-25-0x0000000003A30000-0x0000000003BDC000-memory.dmp

memory/792-28-0x0000000050FE0000-0x0000000051027000-memory.dmp

memory/792-27-0x0000000051B90000-0x0000000051C4F000-memory.dmp

memory/792-26-0x0000000003BE0000-0x0000000003C16000-memory.dmp

memory/792-29-0x0000000003560000-0x000000000357C000-memory.dmp

memory/792-31-0x0000000050050000-0x000000005064A000-memory.dmp

memory/792-61-0x0000000002D90000-0x000000000306E000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-12-20 16:19

Reported

2023-12-22 11:15

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1388 wrote to memory of 784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1388 wrote to memory of 784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\client\Ehlib.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/784-0-0x00000000024E0000-0x00000000027BE000-memory.dmp