Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-tq7p9seac6
Target VirusShare_909e8c66ce11649ae9e2564bfd6069b1
SHA256 e888b16855db866dac97307189632e7c36c8c909f4fa33c2e554685d9b6d143d
Tags
adware stealer spyware discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e888b16855db866dac97307189632e7c36c8c909f4fa33c2e554685d9b6d143d

Threat Level: Shows suspicious behavior

The file VirusShare_909e8c66ce11649ae9e2564bfd6069b1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer spyware discovery

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

157s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1721.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib\ = "{c96bc771-7b36-4ac4-9959-1376c8ce1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\ = "MediaWatchV1home1721Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 3488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4112 wrote to memory of 3488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4112 wrote to memory of 3488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1721.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1721.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231215-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 124a5e439283e44bfa8a5d04c67bf7ee
SHA1 a39b9ccd9697d7dd180f70b715ab360715f37692
SHA256 bcd3578237b892fffff7cce754fdc2c2073df8b691ab3c6d9fb6431e5fd9e515
SHA512 da9794e7de4409304acd974e52533e9c8cc97c615a9ea5bb351255bb6108520bb4022656173b601537a2a613a98c366e65dd6498201c5cfe2f7b0137f4f65be2

\Users\Admin\AppData\Local\Temp\nst55EE.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:20

Platform

win7-20231215-en

Max time kernel

119s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 2404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 2404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 2404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:20

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

178s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1721chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1721chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231215-en

Max time kernel

118s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 216 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 216 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2076 -ip 2076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231215-en

Max time kernel

120s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231215-en

Max time kernel

120s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1721chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1721chaction.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

170s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1721ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231129-en

Max time kernel

122s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1721.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib\ = "{c96bc771-7b36-4ac4-9959-1376c8ce1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\ = "MediaWatchV1home1721Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 3004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1721.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1721.dll

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win7-20231215-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\default\MediaWatchV1home1721_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ie\MediaWatchV1home1721.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\default\MediaWatchV1home1721_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ch\MediaWatchV1home1721.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ch\MediaWatchV1home1721.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} = 51667a6c4c1d3b1b84fd0684339f9c0a919321fb7b85cc6f C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib\ = "{c96bc771-7b36-4ac4-9959-1376c8ce1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\ = "MediaWatchV1home1721Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1721\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1721\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1721\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ie\MediaWatchV1home1721.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd1630.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ie\MediaWatchV1home1721.dll

MD5 2a580cc0f744c5447e8e83e62b2f59fc
SHA1 99b056fee3a1cc0ad9865735c49fd05c62207993
SHA256 92d4fcad2f1c9e9bc1b9a1150a2fb9ba1d59ec8730897a055ab6ce17689558c1
SHA512 36f49a20f13d9de60997bd306b00e744aebd307fbe959ffd4aa9c89deb112a9563699852d109cc35875c41c3a2e3cf5a2bf29548502bb78edf7ada5d8fec2bbd

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231215-en

Max time kernel

120s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ch\MediaWatchV1home1721.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\default\MediaWatchV1home1721_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\default\MediaWatchV1home1721_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\ffMediaWatchV1home1721ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ie\MediaWatchV1home1721.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ch\MediaWatchV1home1721.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} = 51667a6c4c1d3b1b84fd078d339a920d93952bfb7c8cc869 C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\ = "MediaWatchV1home1721Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1721\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\ = "{C96BC771-7B36-4AC4-9959-1376C8CE1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ = "IMediaWatchV1home1721BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1721\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\ = "MediaWatchV1home1721" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1721\\ie\\MediaWatchV1home1721.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9d12e094-c805-45fa-8e9f-6abb7dcf8b77}\TypeLib\ = "{c96bc771-7b36-4ac4-9959-1376c8ce1397}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C96BC771-7B36-4AC4-9959-1376C8CE1397}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35F317AC-484E-49FF-98E7-18567ACC6C47}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_909e8c66ce11649ae9e2564bfd6069b1.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ie\MediaWatchV1home1721.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1721\ie\MediaWatchV1home1721.dll

MD5 2a580cc0f744c5447e8e83e62b2f59fc
SHA1 99b056fee3a1cc0ad9865735c49fd05c62207993
SHA256 92d4fcad2f1c9e9bc1b9a1150a2fb9ba1d59ec8730897a055ab6ce17689558c1
SHA512 36f49a20f13d9de60997bd306b00e744aebd307fbe959ffd4aa9c89deb112a9563699852d109cc35875c41c3a2e3cf5a2bf29548502bb78edf7ada5d8fec2bbd

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:16

Reported

2024-02-04 16:19

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 124a5e439283e44bfa8a5d04c67bf7ee
SHA1 a39b9ccd9697d7dd180f70b715ab360715f37692
SHA256 bcd3578237b892fffff7cce754fdc2c2073df8b691ab3c6d9fb6431e5fd9e515
SHA512 da9794e7de4409304acd974e52533e9c8cc97c615a9ea5bb351255bb6108520bb4022656173b601537a2a613a98c366e65dd6498201c5cfe2f7b0137f4f65be2

C:\Users\Admin\AppData\Local\Temp\nsa6061.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361