Malware Analysis Report

2025-08-05 16:42

Sample ID 240204-tr1ckseae5
Target VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68
SHA256 1e48ba42fad238c5eb31848e810360aef3d51bd217797833b9fe6d4e34958431
Tags
spyware stealer adware discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1e48ba42fad238c5eb31848e810360aef3d51bd217797833b9fe6d4e34958431

Threat Level: Shows suspicious behavior

The file VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer adware discovery

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4152 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4152 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2427chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2427chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 8e1e52df79a4d3bd48aa9a6f00a2a323
SHA1 2ebd1bd4c013580304d0647f2c94270e1a9d93bd
SHA256 c9c2f4c68854e7662e9b0e40fbd48a617008dba06df8ef65edc4311845582a41
SHA512 649be0ae3bc503916354c55b177fe71a1f6bb2f4a5ab34cfe664f86fe89bd980a2d664301a5c6fff83cbebdc2801756e977d1897c2656bbb69fa71f8bce40845

C:\Users\Admin\AppData\Local\Temp\nss663D.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

122s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2427.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib\ = "{3ffc2577-190b-4c45-bdb5-3136b267be95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\ = "MediaWatchV1home2427Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5816 wrote to memory of 3200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5816 wrote to memory of 3200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5816 wrote to memory of 3200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2427.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2427.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win7-20231215-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 8e1e52df79a4d3bd48aa9a6f00a2a323
SHA1 2ebd1bd4c013580304d0647f2c94270e1a9d93bd
SHA256 c9c2f4c68854e7662e9b0e40fbd48a617008dba06df8ef65edc4311845582a41
SHA512 649be0ae3bc503916354c55b177fe71a1f6bb2f4a5ab34cfe664f86fe89bd980a2d664301a5c6fff83cbebdc2801756e977d1897c2656bbb69fa71f8bce40845

\Users\Admin\AppData\Local\Temp\nsoB26F.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\default\MediaWatchV1home2427_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ch\MediaWatchV1home2427.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ch\MediaWatchV1home2427.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\default\MediaWatchV1home2427_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{f0188277-b293-4174-9ba7-566c739b10fd} = 51667a6c4c1d3b1b679d08eface5190582ae102c70d157e8 C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2427\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib\ = "{3ffc2577-190b-4c45-bdb5-3136b267be95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2427\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\ = "MediaWatchV1home2427Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2427\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1700 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd5B5A.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll

MD5 28c07962e61d1c1e2a3b169be219c961
SHA1 7dd1f02d6e181164a14aaadf605a1699897962db
SHA256 b290ee17d015b8eb149dcb5265011538f7873d3b73985d4aa53f68ef1ae7e8fd
SHA512 fdedb93a0372a8d7628f54bfeaf50a9527ad077f8c8dd35a24b7f7ba8162c4d60a9d747a743ccfb55c1bd3ced5123064a4756a2b73152de5e11b6886c808cd27

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\default\MediaWatchV1home2427_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\default\MediaWatchV1home2427_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ch\MediaWatchV1home2427.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ch\MediaWatchV1home2427.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\ffMediaWatchV1home2427.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{f0188277-b293-4174-9ba7-566c739b10fd} = 51667a6c4c1d3b1b679503efade51a0e8eab093371df5ce5 C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2427\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2427\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\ = "MediaWatchV1home2427Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib\ = "{3ffc2577-190b-4c45-bdb5-3136b267be95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2427\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk9367.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll

MD5 28c07962e61d1c1e2a3b169be219c961
SHA1 7dd1f02d6e181164a14aaadf605a1699897962db
SHA256 b290ee17d015b8eb149dcb5265011538f7873d3b73985d4aa53f68ef1ae7e8fd
SHA512 fdedb93a0372a8d7628f54bfeaf50a9527ad077f8c8dd35a24b7f7ba8162c4d60a9d747a743ccfb55c1bd3ced5123064a4756a2b73152de5e11b6886c808cd27

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1104 -ip 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

118s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win7-20231215-en

Max time kernel

120s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

95s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2427.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f0188277-b293-4174-9ba7-566c739b10fd}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ = "IMediaWatchV1home2427BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\ = "MediaWatchV1home2427" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2427.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\TypeLib\ = "{3ffc2577-190b-4c45-bdb5-3136b267be95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\ = "MediaWatchV1home2427Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib\ = "{3FFC2577-190B-4C45-BDB5-3136B267BE95}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f0188277-b293-4174-9ba7-566c739b10fd}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3FFC2577-190B-4C45-BDB5-3136B267BE95}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{814C370D-2545-40A4-9527-05E7B3BAB74B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 1668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2427.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2427.dll

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2427chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2427chaction.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:20

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2427.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A