Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-tv4t6sebe6
Target VirusShare_ef628936d86c881711b36ed9f2fe244e
SHA256 208d2d73481c89d5d3f2a83835ba6f64d3afe07b0604fc339a7e90ad596ae9ac
Tags
adware stealer discovery spyware
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

208d2d73481c89d5d3f2a83835ba6f64d3afe07b0604fc339a7e90ad596ae9ac

Threat Level: Shows suspicious behavior

The file VirusShare_ef628936d86c881711b36ed9f2fe244e was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer discovery spyware

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

122s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116ffaction.js

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

169s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release116.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\ = "RichMediaViewV1release116Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib\ = "{dbdd9db8-8f69-4bb4-bde7-c529f1e1b10d}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 4724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4224 wrote to memory of 4724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4224 wrote to memory of 4724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release116.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release116.dll

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ch\RichMediaViewV1release116.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\default\RichMediaViewV1release116_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ch\RichMediaViewV1release116.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\default\RichMediaViewV1release116_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ie\RichMediaViewV1release116.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{63504b83-0450-4d13-87af-623af1ef426c} = 51667a6c4c1d3b1b9356447860517d0593a6247af5ac0171 C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib\ = "{dbdd9db8-8f69-4bb4-bde7-c529f1e1b10d}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release116\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c} C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release116\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release116\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\ = "RichMediaViewV1release116Lib" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1972 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ie\RichMediaViewV1release116.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd1A74.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ie\RichMediaViewV1release116.dll

MD5 edda7b7b239ba2b1f370145ee2defe4e
SHA1 66d60c54bbdaa26be11c3cd2cb7f0d7c9bbbb31f
SHA256 c1eb71dae33b855f250ce059f4c34e29b48f4e9580bf40a681c02d68133767e5
SHA512 7ed55891333448bbe5dc5bbf791534e6b6b47123c9bdebdb04463befed24853ddfad2980f551986635c89f24f9d9888847441f3c1aa8a1950d535d747017a7b4

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 828 -ip 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

171s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release116chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release116chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

120s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 932 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 932 wrote to memory of 1352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1352 -ip 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release116chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release116chaction.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

121s

Max time network

130s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release116.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\ = "RichMediaViewV1release116Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib\ = "{dbdd9db8-8f69-4bb4-bde7-c529f1e1b10d}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1824 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release116.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release116.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63504b83-0450-4d13-87af-623af1ef426c}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ch\RichMediaViewV1release116.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\default\RichMediaViewV1release116_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ch\RichMediaViewV1release116.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\icons\default\RichMediaViewV1release116_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ie\RichMediaViewV1release116.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\ffRichMediaViewV1release116ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{63504b83-0450-4d13-87af-623af1ef426c} = 51667a6c4c1d3b1b9356427d645675019dac207af5af0278 C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\ = "RichMediaViewV1release116" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\ = "{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c} C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\ = "RichMediaViewV1release116Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release116\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release116\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ = "IRichMediaViewV1release116BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\TypeLib\ = "{dbdd9db8-8f69-4bb4-bde7-c529f1e1b10d}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4E926A9-6721-4707-BCF0-62CD489E3765}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63504b83-0450-4d13-87af-623af1ef426c}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release116\\ie\\RichMediaViewV1release116.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBDD9DB8-8F69-4BB4-BDE7-C529F1E1B10D}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_ef628936d86c881711b36ed9f2fe244e.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ie\RichMediaViewV1release116.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc18D3.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release116\ie\RichMediaViewV1release116.dll

MD5 edda7b7b239ba2b1f370145ee2defe4e
SHA1 66d60c54bbdaa26be11c3cd2cb7f0d7c9bbbb31f
SHA256 c1eb71dae33b855f250ce059f4c34e29b48f4e9580bf40a681c02d68133767e5
SHA512 7ed55891333448bbe5dc5bbf791534e6b6b47123c9bdebdb04463befed24853ddfad2980f551986635c89f24f9d9888847441f3c1aa8a1950d535d747017a7b4

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release116.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 5b2ef119a26f0723f8a42711289d1c08
SHA1 34758c943eb983156339a807c595bd7bff338e56
SHA256 882824f4f2f030eb9d717a7371ea9a8df78aa01a5e341d415f6fcc3446bfae4e
SHA512 94a10ea57636669b2b7fdcf22e61f642e115782be2ee215c9d13bf4d5f7704ba73803f7804b501c395181b2459e30a3be78ccd7ded36f73daa9b529972e0afdb

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 2209fd8c19f9ba3829d10c6dbaba5c93
SHA1 33f4e63e76a9e19201a63f538e17bfdbe67efade
SHA256 0ef5324c4f2dca09451d81f18b23ca7c6e36fb11a396e6685c6f84e52f71daef
SHA512 b1e859218341c82ad296d8b18e5105b89e005ca61c2bec831458e9c14438faf5a5f1232ac4a4ab327751d5ee62842c417d322e89eb2f5ac6667eedd74d593c10

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 3eea7cf389986a43b7134ab8e14b9971
SHA1 fd583f6bbba5ae19ee99bff6ce7d1c0177038a87
SHA256 2cf0c6600502227fff466c81cd027dda80ba550c70c38e405cfdf20ac54b4843
SHA512 8a5a9951a4175c35f39a795fbe367fb36084fa0be217f11a196b1da75316be35d00f705fc0c8a228d0fa539b70e32397305c1ec105e27145fa7796c611a1dfa5

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 1f903feb8cd2da1b88e2836781a5abf2
SHA1 e5aa39eee8cb0045f77388c99e16ff65a25dfafd
SHA256 caaedd1582a1e4fcbce623e961701ae1bc95a88ecbc90872db3f5be120791dca
SHA512 17427ad4cdc220d46e8c958e5844a4f13bf676628c0a2ddd15869af9228f7dab1f3166d5edf9e06d18fca2dcb85d6c732e1eae575af3e5fe91152d239edc0fe6

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 f5caa1c66725e248566f9ffade1d55a4
SHA1 12f20dc1b06045934bcf0c9b23490fd799d7cd2c
SHA256 7fa7eb7b38ef4d8907ed009b82f5f41b620e6457b794a9f781d26a91b3071498
SHA512 9b101f3660b6d5ccf72bbdd7fc1eca021d0571bb115615276a47555646b62d8d7cbd003014464823a508975679949b3ff84e881ce1578b4976fdd0c805eda75d

C:\Users\Admin\AppData\Local\Temp\nss5B11.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab