Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-xmzr2ageg7
Target 8fe893c04c504d9757cc28a75eddeeba
SHA256 7ecf992f19dffdd28863aeb32309570b3ae896dd151f4fea1986f79853cf38be
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7ecf992f19dffdd28863aeb32309570b3ae896dd151f4fea1986f79853cf38be

Threat Level: Shows suspicious behavior

The file 8fe893c04c504d9757cc28a75eddeeba was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

89s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\WOW6432Node\CLSID\tst_key = "test_ok" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe

"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 default.minefilter.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu5209.tmp\nsProcess.dll

MD5 8f4ac52cb2f7143f29f114add12452ad
SHA1 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3
SHA256 b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04
SHA512 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

C:\Users\Admin\AppData\Local\Temp\nsu5209.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/4256-16-0x0000000002980000-0x0000000002A15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll

MD5 f1b0e3e318416d0684ab5950369f11d5
SHA1 2e6bd84b573608c5932702d16f4a4324d8c15006
SHA256 f429257098b177b978d6378ee4fa8bb449f39134f92629594a7a5dbc94111124
SHA512 a7d979fdf78ca98f97497f1076e3a3795fd00bd706c9a20224984267b463a19137a9b836e8dcdacfb7f7fd3a28cc2b6764f10bc493465d85243a9326dd215b6b

C:\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll

MD5 347c0c851e5230536f5867b0ebc1568e
SHA1 7787a7c0404c2ad4b0f6feda83c73b61b310e659
SHA256 b7aca04cc4253317817f0cb23c52ae9b19c8c648be8493933cf20ad7aa8dedf8
SHA512 3cc07690c69d5982e552164833e7b4687a0650e1e226f5274ed04caf355f400bf972971b827767b2c54aaa1ccce355ca2822591d7a30b39b87f4256e3d249d7d

C:\Users\Admin\AppData\Local\Temp\~nsis\c3a019\MINEEP~1.DLL

MD5 84e4af439cfa4e555eb2e84f36fcb1fe
SHA1 11f495bc7b6941ffdd881c7d135ddf674667bd6b
SHA256 9f3c348b2967a2582f3276f426343cce69a13fccf58a7413d64fa2deb156fa03
SHA512 10549db9c5cd20b2f3b3431e75aff38ed002572b7dced4808636e66c768291d8b9739f0b9d056955accc623b146939a1e1406ec656eb85021dec1e286feede95

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\minerun.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\minerun.exe

"C:\Users\Admin\AppData\Local\Temp\minerun.exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231129-en

Max time kernel

130s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
N/A N/A C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
N/A N/A C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
N/A N/A C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
N/A N/A C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Windows\SysWOW64\midiasvc.exe N/A
N/A N/A C:\Windows\SysWOW64\midiasvc.exe N/A
N/A N/A C:\Windows\SysWOW64\midiasvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
N/A N/A C:\Windows\SysWOW64\midiasvc.exe N/A
N/A N/A C:\Windows\SysWOW64\midiasvc.exe N/A
N/A N/A C:\Windows\SysWOW64\midiasvc.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\midiasvc.exe C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MineFilter\Log\minefilter_up_20240204.txt C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
File created C:\Program Files (x86)\MineFilter\mine_uins.dat C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File created C:\Program Files (x86)\MineFilter\mineep.dl_ C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File created C:\Program Files (x86)\MineFilter\mineepnad.dl_ C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File created C:\Program Files (x86)\MineFilter\minerun.ex_ C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File opened for modification C:\Program Files (x86)\MineFilter\homepage.url C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File created C:\Program Files (x86)\MineFilter\mineepsvc.ex_ C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File opened for modification C:\Program Files (x86)\MineFilter\intro.url C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
File created C:\Program Files (x86)\MineFilter\uninst.exe C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecision = "0" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadNetworkName = "Network 3" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionTime = 0060e0859c57da01 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E} C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\f6-98-7a-0a-d3-d8 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionTime = 0060e0859c57da01 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionReason = "1" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecision = "0" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDetectedUrl C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionTime = 80060d609c57da01 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionReason = "1" C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionTime = 80060d609c57da01 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8 C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\MineFilter\mineepsvc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MineFilter\\" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Program Files (x86)\\MineFilter\\mineep.dll" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\tst_key = "test_ok" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Program Files (x86)\\MineFilter\\mineep.dll" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Program Files (x86)\MineFilter\mineepsvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe
PID 2536 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe C:\Windows\SysWOW64\midiasvc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe

"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"

C:\Program Files (x86)\MineFilter\mineepsvc.exe

"C:\Program Files (x86)\MineFilter\mineepsvc.exe" /i

C:\Program Files (x86)\MineFilter\mineepsvc.exe

"C:\Program Files (x86)\MineFilter\mineepsvc.exe" /start

C:\Program Files (x86)\MineFilter\mineepsvc.exe

"C:\Program Files (x86)\MineFilter\mineepsvc.exe"

C:\Windows\SysWOW64\midiasvc.exe

C:\Windows\SysWOW64\midiasvc.exe

C:\Windows\SysWOW64\midiasvc.exe

"C:\Windows\System32\midiasvc.exe" /start

C:\Windows\SysWOW64\midiasvc.exe

"C:\Windows\System32\midiasvc.exe" /i

Network

Country Destination Domain Proto
US 8.8.8.8:53 default.minefilter.com udp

Files

\Users\Admin\AppData\Local\Temp\nsd6F4.tmp\nsProcess.dll

MD5 8f4ac52cb2f7143f29f114add12452ad
SHA1 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3
SHA256 b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04
SHA512 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

\Users\Admin\AppData\Local\Temp\nsd6F4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll

MD5 84e4af439cfa4e555eb2e84f36fcb1fe
SHA1 11f495bc7b6941ffdd881c7d135ddf674667bd6b
SHA256 9f3c348b2967a2582f3276f426343cce69a13fccf58a7413d64fa2deb156fa03
SHA512 10549db9c5cd20b2f3b3431e75aff38ed002572b7dced4808636e66c768291d8b9739f0b9d056955accc623b146939a1e1406ec656eb85021dec1e286feede95

memory/2536-12-0x0000000000A50000-0x0000000000AE5000-memory.dmp

\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll

MD5 d368e7623ea3d3f16d1c6a5a3b9f98ad
SHA1 217e8d0f57e56c0e20b37df1cdc0914c4913a576
SHA256 806e93e7e29fa96dccd577dbc141d8ecb035bca539213e317a9c877843eb022a
SHA512 21c2d097a9bf11ec0e2a0dde7cd8f0ec385f7deb97bb6221d661ba3e7b8f753cffd0b8e5cd2a5b106dd59e9dca8dda29c394d2f770f97275ec1e889165a9270e

C:\Program Files (x86)\MineFilter\mineepnad.dl_

MD5 3b7094c6d626e29c8511675edd536780
SHA1 74533a0ce89e6f26c882b30ac640182f0779335c
SHA256 058087c518c79d4c4946cc7ee5db5b9ba094cfd3284cbc76d3eee6d27ccab7d0
SHA512 a41d9f1de18dae4c4625497b6c8dcaec88ebe025bb0d07e28cec3e2fdf26866da901aa625c672fc3a138ccb6dd97969f307edf12daa2e5a977077728c4e787dc

\Program Files (x86)\MineFilter\mineep.dll

MD5 e9c8cf0b8809bd059bfe95967d7dd25d
SHA1 7071de057fee221be15e9723635978e2d355f867
SHA256 875238a8ddef3d83220d277f4d897852821805ea1c985ff620cde47e567789e6
SHA512 d8ebd9770787fc8f4e2cbb8361412251978150bd0d7d624a32c59cac04594f7cb27644e9a09fab5790663273c0c91222d17701805a20652c5d7743b17bacd0aa

memory/2536-31-0x0000000003150000-0x000000000316F000-memory.dmp

\Program Files (x86)\MineFilter\mineepsvc.exe

MD5 7447b67843066dbc18c1b79bc7ac1570
SHA1 db46fff5a3ba16fbb027ddc508a48fd5ab19a4b2
SHA256 3d74fe08f3dea2fd98a9bb9db42c7a65c012fe902a368ded9eee44403e7165e8
SHA512 d422613b734635f34f8ffef2aafd3be00d0690d7338ffb60793d303247143b69ff3706e7081246705221487ff07459a60de887e343e66222fe0c5908eb2bc55c

C:\Program Files (x86)\MineFilter\mineepnad.dll

MD5 dd81543f3851a9a6730bed215af99813
SHA1 5794d7d463f6137ca36e3c02d0c10c33f690c30d
SHA256 3958fee4d0b129f70cc808240d4e80c42f3f93654d27bf82bf3a5c4546f02642
SHA512 68bd526ca20d09f09c0bf7535e07054d51b7890eb5aa6784d7908bded88dbf8b2389cdbfb6a8d814c90368ffaf9f82b3224cf7e6c2366fd77caf9cf3b73f83c6

C:\Program Files (x86)\MineFilter\minerun.exe

MD5 9481d2fe24557e040e5b01f886cc5747
SHA1 f7bd29e9b85718a88955a611c4d01e1b3a904916
SHA256 e2e998a497933c47f654f66bf36d26e34e01ab8f6275ca59ef467e71ecb97ca5
SHA512 25c8debb220a21f62513080026439fbbaedf9d3300bd4bdad2fe6f7167d896a83c2a806f28fd6abe9cddcd0f70cfda3eddd55b8104280cd010a3d96792349dfe

C:\Windows\SysWOW64\midiasvc.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\midiasvc.exe

MD5 c1f096e1cc6e6901830d9b1351908dce
SHA1 d11a8c447c1c10e09e5026dd3e88980002230d14
SHA256 fa4a34ad3dcf012444378ea67628a098a9ce9d4097dcbf00a12beb9a83640937
SHA512 9a02250fa4d2eff5db1a99bf95c6c3579fbef7b15f0ae456839b4824ded686f3a920f5af16009ed12f5c9bcb71465c4f55a64ff7c048404fb97beabe2c48dd8b

\Windows\SysWOW64\midiasvc.exe

MD5 74160ab8496cdef8cc370ad532eeec51
SHA1 f23fa0023c5fa46464c1f07094213f2c7afc8244
SHA256 ce3acffae736fc55104b64e666b9cacc0adbd1fe85d465d977e5b639506cab6c
SHA512 bf13c7187356a8c643b638b3c772565c6afdcb78952a83058e836b004e8745ae6114d344597bcc9c5fb0947f092d8dd18f26c71bbe9e9526078555c447f2f137

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 3668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 3668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 3668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3668 -ip 3668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231129-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mineep.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mineep.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\mineep.dll

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

146s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mineep.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 5024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4812 wrote to memory of 5024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4812 wrote to memory of 5024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mineep.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\mineep.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe

"C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe

"C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\minerun.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\minerun.exe

"C:\Users\Admin\AppData\Local\Temp\minerun.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 248

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 228

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 2428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 2428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2428 -ip 2428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 636

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 248

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4116 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4116 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 18:58

Reported

2024-02-04 19:01

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1

Network

N/A

Files

N/A