Malware Analysis Report

2025-08-05 16:42

Sample ID 240204-tsy6xagbfp
Target VirusShare_a8c1c370bc3667f8ab42733e0473125e
SHA256 fa32c94aff2c3c6635800ccd22320866ca0217a7b151992674bb8fee63e2edae
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fa32c94aff2c3c6635800ccd22320866ca0217a7b151992674bb8fee63e2edae

Threat Level: Shows suspicious behavior

The file VirusShare_a8c1c370bc3667f8ab42733e0473125e was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

125s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\default\MediaWatchV1home1747_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ch\MediaWatchV1home1747.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\default\MediaWatchV1home1747_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ie\MediaWatchV1home1747.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ch\MediaWatchV1home1747.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} = 51667a6c4c1d3b1b3ddeaa7bfcd59a0e94de19f4e00bb4a2 C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib\ = "{53a34c9c-4425-4fe7-9282-6c55762bcbe8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\ = "MediaWatchV1home1747Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1747\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1747\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1747\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2140 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ie\MediaWatchV1home1747.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy70DD.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ie\MediaWatchV1home1747.dll

MD5 6588cc802bcc1b1a75c466b176354b71
SHA1 1d9cd3d5b14d5507f2ceb941d00f2da237012f63
SHA256 4e1f8de9ad11ad28e0f11d9985afaf8d3ed54805ab740b663df2342da13d3558
SHA512 ff166a11d3bfbbc8c2f370f6adcf29daf66b6eb38403298bebec8e1ce040e721020c3793b3e38bf020cf76c37db654bec7616e8668b9fe4392236bf9720e750d

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1747chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1747chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1747.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib\ = "{53a34c9c-4425-4fe7-9282-6c55762bcbe8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\ = "MediaWatchV1home1747Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2384 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1747.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1747.dll

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e48660142c8f18cd883fce9e6b8e3f16
SHA1 551e8617ca09efed3323f944bd56c35c17d53bf0
SHA256 5fb692eab4e63266b343906b0a69719025a4e115da8bb94a115b010956daf5f1
SHA512 9a86f1056064f0a5b906db064e98883f1bd889c3afd7f2f3bdeab304829bc7b5d40aad70b78796ffc89ed641b9156f41c8ab505827bd8c96cee6c3496684c1a1

\Users\Admin\AppData\Local\Temp\nsy65E5.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e48660142c8f18cd883fce9e6b8e3f16
SHA1 551e8617ca09efed3323f944bd56c35c17d53bf0
SHA256 5fb692eab4e63266b343906b0a69719025a4e115da8bb94a115b010956daf5f1
SHA512 9a86f1056064f0a5b906db064e98883f1bd889c3afd7f2f3bdeab304829bc7b5d40aad70b78796ffc89ed641b9156f41c8ab505827bd8c96cee6c3496684c1a1

C:\Users\Admin\AppData\Local\Temp\nsl2E30.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 4128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4468 wrote to memory of 4128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4468 wrote to memory of 4128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ch\MediaWatchV1home1747.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\default\MediaWatchV1home1747_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ie\MediaWatchV1home1747.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\default\MediaWatchV1home1747_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ch\MediaWatchV1home1747.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\ffMediaWatchV1home1747ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} = 51667a6c4c1d3b1b3ddcac7af9d4920390dc1ff4e00dbda9 C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1747\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1747\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home1747\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib\ = "{53a34c9c-4425-4fe7-9282-6c55762bcbe8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\ = "MediaWatchV1home1747Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8c1c370bc3667f8ab42733e0473125e.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ie\MediaWatchV1home1747.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx4D94.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home1747\ie\MediaWatchV1home1747.dll

MD5 6588cc802bcc1b1a75c466b176354b71
SHA1 1d9cd3d5b14d5507f2ceb941d00f2da237012f63
SHA256 4e1f8de9ad11ad28e0f11d9985afaf8d3ed54805ab740b663df2342da13d3558
SHA512 ff166a11d3bfbbc8c2f370f6adcf29daf66b6eb38403298bebec8e1ce040e721020c3793b3e38bf020cf76c37db654bec7616e8668b9fe4392236bf9720e750d

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

122s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1747.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\ = "MediaWatchV1home1747Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\ = "MediaWatchV1home1747" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\TypeLib\ = "{53a34c9c-4425-4fe7-9282-6c55762bcbe8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ = "IMediaWatchV1home1747BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home1747.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53A34C9C-4425-4FE7-9282-6C55762BCBE8} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA94CF11-B65D-43CF-8FF6-B1FB5024A030}\TypeLib\ = "{53A34C9C-4425-4FE7-9282-6C55762BCBE8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60bcc32d-83cc-4bfd-8bd1-5cb4e14cf8bc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2296 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2296 wrote to memory of 2804 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1747.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home1747.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 904 -ip 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1747chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home1747chaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:19

Reported

2024-02-04 16:22

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home1747ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

N/A