Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-ttyxjaebc4
Target VirusShare_de1d9d35a790080138c0aa5efd78ac2c
SHA256 597c1d7ea178d6def194608b6bbf233a8892ec001a6c0063a35553dde948c5b0
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

597c1d7ea178d6def194608b6bbf233a8892ec001a6c0063a35553dde948c5b0

Threat Level: Shows suspicious behavior

The file VirusShare_de1d9d35a790080138c0aa5efd78ac2c was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231222-en

Max time kernel

121s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\default\RichMediaViewV1release234_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ie\RichMediaViewV1release234.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ch\RichMediaViewV1release234.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\default\RichMediaViewV1release234_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ch\RichMediaViewV1release234.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} = 51667a6c4c1d3b1beaad87fe9c9bed0ca0cfa65ad0c1efe9 C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release234\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\ = "RichMediaViewV1release234Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release234\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib\ = "{78690644-8da1-4d46-bb8d-032494388ad4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release234\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ie\RichMediaViewV1release234.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsa48D1.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ie\RichMediaViewV1release234.dll

MD5 54172d2c0816ec37f97ea8fdef19b247
SHA1 a44af12822a1567276bedf0dd148bb6dc6e94b78
SHA256 a05699032c4a81e650a626ca06bd8eb84b721d1884651972e8ac4027befcabc0
SHA512 b41411b71139ab023e4e69fa16a066dd0bb8d1712d860ef69446c40229a0b3481a1c6dc9466f8b7701923761bd6fcc5f51e099f89ce27290c6502a0f2f0d134a

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231222-en

Max time kernel

89s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 3372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 3372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 3372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release234chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release234chaction.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

95s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release234chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release234chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 2d24ab8fe6b6e95040936ebe8a1ddc7a
SHA1 1f63bdae22e3ca7d6344cc06448b712503016cdb
SHA256 f87582af2ae7fc48c78e4d06c51f4bfbc254674a5c060226000da84916073961
SHA512 5879115b7a0474f66c8f62558de7305ec0522b8b523cda798f1fdc862d8ef16a5cc9220b9641959031a41d31e2c7c73d4ede80754551f99d9dda55d332be742b

C:\Users\Admin\AppData\Local\Temp\nsx665C.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 220

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231215-en

Max time kernel

119s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release234.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\ = "RichMediaViewV1release234Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib\ = "{78690644-8da1-4d46-bb8d-032494388ad4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2260 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release234.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release234.dll

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

95s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release234.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\ = "RichMediaViewV1release234Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib\ = "{78690644-8da1-4d46-bb8d-032494388ad4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 4328 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 332 wrote to memory of 4328 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 332 wrote to memory of 4328 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release234.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release234.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231215-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 2d24ab8fe6b6e95040936ebe8a1ddc7a
SHA1 1f63bdae22e3ca7d6344cc06448b712503016cdb
SHA256 f87582af2ae7fc48c78e4d06c51f4bfbc254674a5c060226000da84916073961
SHA512 5879115b7a0474f66c8f62558de7305ec0522b8b523cda798f1fdc862d8ef16a5cc9220b9641959031a41d31e2c7c73d4ede80754551f99d9dda55d332be742b

C:\Users\Admin\AppData\Local\Temp\nst2EA0.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4520 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4520 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ch\RichMediaViewV1release234.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ie\RichMediaViewV1release234.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ch\RichMediaViewV1release234.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\default\RichMediaViewV1release234_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\ffRichMediaViewV1release234.js C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content\icons\default\RichMediaViewV1release234_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} = 51667a6c4c1d3b1beaad89fc9898ed08a1cfab5ad5c2eae1 C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\ = "RichMediaViewV1release234Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release234\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release234\\ie\\RichMediaViewV1release234.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\ = "{78690644-8DA1-4D46-BB8D-032494388AD4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ = "IRichMediaViewV1release234BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\ = "RichMediaViewV1release234" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\TypeLib\ = "{78690644-8da1-4d46-bb8d-032494388ad4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release234\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e79db0fa-cda8-4083-b5c6-ed1ad181a9fc}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{995D9358-246D-4577-B8A7-8CFC732DE2C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78690644-8DA1-4D46-BB8D-032494388AD4}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1364 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_de1d9d35a790080138c0aa5efd78ac2c.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ie\RichMediaViewV1release234.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\aminsis.dll

MD5 9e938d5e09109bfd96e4fd70e9e195b0
SHA1 a25bf60381f4b5663c5b7163aa55e5b074a0ce86
SHA256 5fde8ca9c46139da46230a892ad29589e30ef258113c1e521257a93a7afe39eb
SHA512 00d3952d0cce1763e81f4c8794440418e03aded36324730f098c31f100d3cf6e36856b79046cfe37ac7f22936ec2c20fa78c24cea388811e09c8968bb152be99

C:\Users\Admin\AppData\Local\Temp\nst17C6.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release234\ie\RichMediaViewV1release234.dll

MD5 54172d2c0816ec37f97ea8fdef19b247
SHA1 a44af12822a1567276bedf0dd148bb6dc6e94b78
SHA256 a05699032c4a81e650a626ca06bd8eb84b721d1884651972e8ac4027befcabc0
SHA512 b41411b71139ab023e4e69fa16a066dd0bb8d1712d860ef69446c40229a0b3481a1c6dc9466f8b7701923761bd6fcc5f51e099f89ce27290c6502a0f2f0d134a

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:21

Reported

2024-02-04 16:24

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release234.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A