Analysis Overview
SHA256
7ecf992f19dffdd28863aeb32309570b3ae896dd151f4fea1986f79853cf38be
Threat Level: Shows suspicious behavior
The file 8fe893c04c504d9757cc28a75eddeeba was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 1416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 1416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 1416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
89s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe
"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\WOW6432Node\CLSID\tst_key = "test_ok" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe
"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | default.minefilter.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsu5209.tmp\nsProcess.dll
| MD5 | 8f4ac52cb2f7143f29f114add12452ad |
| SHA1 | 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3 |
| SHA256 | b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04 |
| SHA512 | 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c |
C:\Users\Admin\AppData\Local\Temp\nsu5209.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/4256-16-0x0000000002980000-0x0000000002A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll
| MD5 | f1b0e3e318416d0684ab5950369f11d5 |
| SHA1 | 2e6bd84b573608c5932702d16f4a4324d8c15006 |
| SHA256 | f429257098b177b978d6378ee4fa8bb449f39134f92629594a7a5dbc94111124 |
| SHA512 | a7d979fdf78ca98f97497f1076e3a3795fd00bd706c9a20224984267b463a19137a9b836e8dcdacfb7f7fd3a28cc2b6764f10bc493465d85243a9326dd215b6b |
C:\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll
| MD5 | 347c0c851e5230536f5867b0ebc1568e |
| SHA1 | 7787a7c0404c2ad4b0f6feda83c73b61b310e659 |
| SHA256 | b7aca04cc4253317817f0cb23c52ae9b19c8c648be8493933cf20ad7aa8dedf8 |
| SHA512 | 3cc07690c69d5982e552164833e7b4687a0650e1e226f5274ed04caf355f400bf972971b827767b2c54aaa1ccce355ca2822591d7a30b39b87f4256e3d249d7d |
C:\Users\Admin\AppData\Local\Temp\~nsis\c3a019\MINEEP~1.DLL
| MD5 | 84e4af439cfa4e555eb2e84f36fcb1fe |
| SHA1 | 11f495bc7b6941ffdd881c7d135ddf674667bd6b |
| SHA256 | 9f3c348b2967a2582f3276f426343cce69a13fccf58a7413d64fa2deb156fa03 |
| SHA512 | 10549db9c5cd20b2f3b3431e75aff38ed002572b7dced4808636e66c768291d8b9739f0b9d056955accc623b146939a1e1406ec656eb85021dec1e286feede95 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231222-en
Max time kernel
88s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2788 wrote to memory of 444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\minerun.exe
"C:\Users\Admin\AppData\Local\Temp\minerun.exe"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231129-en
Max time kernel
130s
Max time network
130s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\midiasvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\midiasvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\midiasvc.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\midiasvc.exe | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\MineFilter\Log\minefilter_up_20240204.txt | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| File created | C:\Program Files (x86)\MineFilter\mine_uins.dat | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File created | C:\Program Files (x86)\MineFilter\mineep.dl_ | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File created | C:\Program Files (x86)\MineFilter\mineepnad.dl_ | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File created | C:\Program Files (x86)\MineFilter\minerun.ex_ | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MineFilter\homepage.url | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File created | C:\Program Files (x86)\MineFilter\mineepsvc.ex_ | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MineFilter\intro.url | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| File created | C:\Program Files (x86)\MineFilter\uninst.exe | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecision = "0" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadNetworkName = "Network 3" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionTime = 0060e0859c57da01 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E} | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\f6-98-7a-0a-d3-d8 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionTime = 0060e0859c57da01 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionReason = "1" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecision = "0" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDetectedUrl | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionTime = 80060d609c57da01 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionReason = "1" | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionTime = 80060d609c57da01 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8 | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\MineFilter\mineepsvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MineFilter\\" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Program Files (x86)\\MineFilter\\mineep.dll" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\tst_key = "test_ok" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Program Files (x86)\\MineFilter\\mineep.dll" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe
"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"
C:\Program Files (x86)\MineFilter\mineepsvc.exe
"C:\Program Files (x86)\MineFilter\mineepsvc.exe" /i
C:\Program Files (x86)\MineFilter\mineepsvc.exe
"C:\Program Files (x86)\MineFilter\mineepsvc.exe" /start
C:\Program Files (x86)\MineFilter\mineepsvc.exe
"C:\Program Files (x86)\MineFilter\mineepsvc.exe"
C:\Windows\SysWOW64\midiasvc.exe
C:\Windows\SysWOW64\midiasvc.exe
C:\Windows\SysWOW64\midiasvc.exe
"C:\Windows\System32\midiasvc.exe" /start
C:\Windows\SysWOW64\midiasvc.exe
"C:\Windows\System32\midiasvc.exe" /i
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | default.minefilter.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsd6F4.tmp\nsProcess.dll
| MD5 | 8f4ac52cb2f7143f29f114add12452ad |
| SHA1 | 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3 |
| SHA256 | b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04 |
| SHA512 | 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c |
\Users\Admin\AppData\Local\Temp\nsd6F4.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll
| MD5 | 84e4af439cfa4e555eb2e84f36fcb1fe |
| SHA1 | 11f495bc7b6941ffdd881c7d135ddf674667bd6b |
| SHA256 | 9f3c348b2967a2582f3276f426343cce69a13fccf58a7413d64fa2deb156fa03 |
| SHA512 | 10549db9c5cd20b2f3b3431e75aff38ed002572b7dced4808636e66c768291d8b9739f0b9d056955accc623b146939a1e1406ec656eb85021dec1e286feede95 |
memory/2536-12-0x0000000000A50000-0x0000000000AE5000-memory.dmp
\Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll
| MD5 | d368e7623ea3d3f16d1c6a5a3b9f98ad |
| SHA1 | 217e8d0f57e56c0e20b37df1cdc0914c4913a576 |
| SHA256 | 806e93e7e29fa96dccd577dbc141d8ecb035bca539213e317a9c877843eb022a |
| SHA512 | 21c2d097a9bf11ec0e2a0dde7cd8f0ec385f7deb97bb6221d661ba3e7b8f753cffd0b8e5cd2a5b106dd59e9dca8dda29c394d2f770f97275ec1e889165a9270e |
C:\Program Files (x86)\MineFilter\mineepnad.dl_
| MD5 | 3b7094c6d626e29c8511675edd536780 |
| SHA1 | 74533a0ce89e6f26c882b30ac640182f0779335c |
| SHA256 | 058087c518c79d4c4946cc7ee5db5b9ba094cfd3284cbc76d3eee6d27ccab7d0 |
| SHA512 | a41d9f1de18dae4c4625497b6c8dcaec88ebe025bb0d07e28cec3e2fdf26866da901aa625c672fc3a138ccb6dd97969f307edf12daa2e5a977077728c4e787dc |
\Program Files (x86)\MineFilter\mineep.dll
| MD5 | e9c8cf0b8809bd059bfe95967d7dd25d |
| SHA1 | 7071de057fee221be15e9723635978e2d355f867 |
| SHA256 | 875238a8ddef3d83220d277f4d897852821805ea1c985ff620cde47e567789e6 |
| SHA512 | d8ebd9770787fc8f4e2cbb8361412251978150bd0d7d624a32c59cac04594f7cb27644e9a09fab5790663273c0c91222d17701805a20652c5d7743b17bacd0aa |
memory/2536-31-0x0000000003150000-0x000000000316F000-memory.dmp
\Program Files (x86)\MineFilter\mineepsvc.exe
| MD5 | 7447b67843066dbc18c1b79bc7ac1570 |
| SHA1 | db46fff5a3ba16fbb027ddc508a48fd5ab19a4b2 |
| SHA256 | 3d74fe08f3dea2fd98a9bb9db42c7a65c012fe902a368ded9eee44403e7165e8 |
| SHA512 | d422613b734635f34f8ffef2aafd3be00d0690d7338ffb60793d303247143b69ff3706e7081246705221487ff07459a60de887e343e66222fe0c5908eb2bc55c |
C:\Program Files (x86)\MineFilter\mineepnad.dll
| MD5 | dd81543f3851a9a6730bed215af99813 |
| SHA1 | 5794d7d463f6137ca36e3c02d0c10c33f690c30d |
| SHA256 | 3958fee4d0b129f70cc808240d4e80c42f3f93654d27bf82bf3a5c4546f02642 |
| SHA512 | 68bd526ca20d09f09c0bf7535e07054d51b7890eb5aa6784d7908bded88dbf8b2389cdbfb6a8d814c90368ffaf9f82b3224cf7e6c2366fd77caf9cf3b73f83c6 |
C:\Program Files (x86)\MineFilter\minerun.exe
| MD5 | 9481d2fe24557e040e5b01f886cc5747 |
| SHA1 | f7bd29e9b85718a88955a611c4d01e1b3a904916 |
| SHA256 | e2e998a497933c47f654f66bf36d26e34e01ab8f6275ca59ef467e71ecb97ca5 |
| SHA512 | 25c8debb220a21f62513080026439fbbaedf9d3300bd4bdad2fe6f7167d896a83c2a806f28fd6abe9cddcd0f70cfda3eddd55b8104280cd010a3d96792349dfe |
C:\Windows\SysWOW64\midiasvc.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\midiasvc.exe
| MD5 | c1f096e1cc6e6901830d9b1351908dce |
| SHA1 | d11a8c447c1c10e09e5026dd3e88980002230d14 |
| SHA256 | fa4a34ad3dcf012444378ea67628a098a9ce9d4097dcbf00a12beb9a83640937 |
| SHA512 | 9a02250fa4d2eff5db1a99bf95c6c3579fbef7b15f0ae456839b4824ded686f3a920f5af16009ed12f5c9bcb71465c4f55a64ff7c048404fb97beabe2c48dd8b |
\Windows\SysWOW64\midiasvc.exe
| MD5 | 74160ab8496cdef8cc370ad532eeec51 |
| SHA1 | f23fa0023c5fa46464c1f07094213f2c7afc8244 |
| SHA256 | ce3acffae736fc55104b64e666b9cacc0adbd1fe85d465d977e5b639506cab6c |
| SHA512 | bf13c7187356a8c643b638b3c772565c6afdcb78952a83058e836b004e8745ae6114d344597bcc9c5fb0947f092d8dd18f26c71bbe9e9526078555c447f2f137 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 3668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2844 wrote to memory of 3668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2844 wrote to memory of 3668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3668 -ip 3668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231129-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 224
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1072 wrote to memory of 2196 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mineep.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\mineep.dll
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mineep.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 5024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4812 wrote to memory of 5024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4812 wrote to memory of 5024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mineep.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\mineep.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe
"C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe"
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe
"C:\Users\Admin\AppData\Local\Temp\mineepsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
139s
Max time network
158s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\minerun.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\minerun.exe
"C:\Users\Admin\AppData\Local\Temp\minerun.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 248
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 228
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 308 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1272 wrote to memory of 2912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1272 wrote to memory of 2912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1272 wrote to memory of 2912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mineepnad.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe
"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\midiasvc.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1136 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1136 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231215-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 248
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4116 wrote to memory of 1096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4116 wrote to memory of 1096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4116 wrote to memory of 1096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1096 -ip 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-04 18:58
Reported
2024-02-04 19:01
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\c3a019\mineepnad.dll,#1