Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-zh8kgscchk
Target VirusShare_e61e3348ca9eab9c592a53d40e006120
SHA256 b087ad5ae69a95b7da6467a74aa0a4df2cf37bd4201cd42a5e7a537f93da466f
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b087ad5ae69a95b7da6467a74aa0a4df2cf37bd4201cd42a5e7a537f93da466f

Threat Level: Shows suspicious behavior

The file VirusShare_e61e3348ca9eab9c592a53d40e006120 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\default\MediaWatchV1home612_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\default\MediaWatchV1home612_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ch\MediaWatchV1home612.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ch\MediaWatchV1home612.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ie\MediaWatchV1home612.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{faef50a6-e452-483d-9db0-32b4893e3443} = 51667a6c4c1d3b1bb64df9e162b25a0d82bf77f48879785d C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib\ = "{d08f6e4f-7eb9-4e56-8b57-2200f86d3f61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home612\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home612\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home612\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\ = "MediaWatchV1home612Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2028 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ie\MediaWatchV1home612.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd7B0A.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ie\MediaWatchV1home612.dll

MD5 401552c001771a3f22d05cf98bd839c0
SHA1 710b8c3443ab3e3c682b66180a11d97148bb0b58
SHA256 ada2c7ac1d452d65e5c61defb5c7aeaa4bf85bdb9c943c4688440a1084b3439c
SHA512 5b76b3346320d03b5f81025a1966c9d4ebb246d8cfb077af2bb7baaf57a3fb9df1c351b8fd38d5e9d89fe48fe7bb5d859f8066600afeb00f6fc141acbf8f5d08

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home612.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\ = "MediaWatchV1home612Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib\ = "{d08f6e4f-7eb9-4e56-8b57-2200f86d3f61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home612.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home612.dll

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 b3ac31ae28334be98ba3a64776ecf24a
SHA1 35f9bd28f326194ea33afe29b821a12e7765ea79
SHA256 2d244145bd758214e8b25309952dc4df2b967a872f5ffd3f8ecf031d1ef8a643
SHA512 94dd72193fbfd0616cabff36f316f74c3388d0025a609ccea79f5e88419b3fdc9e88c07b34b8329550281268ef4a4b819203412da7f94eaf42907c7e4950477f

\Users\Admin\AppData\Local\Temp\nst283A.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home612chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home612chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\default\MediaWatchV1home612_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\default\MediaWatchV1home612_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ie\MediaWatchV1home612.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ch\MediaWatchV1home612.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ch\MediaWatchV1home612.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\ffMediaWatchV1home612.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{faef50a6-e452-483d-9db0-32b4893e3443} = 51667a6c4c1d3b1bb64dfde466b65b0487b370f48d7e7457 C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home612\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home612\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\ = "MediaWatchV1home612Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home612\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib\ = "{d08f6e4f-7eb9-4e56-8b57-2200f86d3f61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e61e3348ca9eab9c592a53d40e006120.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ie\MediaWatchV1home612.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsdCD44.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home612\ie\MediaWatchV1home612.dll

MD5 401552c001771a3f22d05cf98bd839c0
SHA1 710b8c3443ab3e3c682b66180a11d97148bb0b58
SHA256 ada2c7ac1d452d65e5c61defb5c7aeaa4bf85bdb9c943c4688440a1084b3439c
SHA512 5b76b3346320d03b5f81025a1966c9d4ebb246d8cfb077af2bb7baaf57a3fb9df1c351b8fd38d5e9d89fe48fe7bb5d859f8066600afeb00f6fc141acbf8f5d08

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4176 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4176 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 b3ac31ae28334be98ba3a64776ecf24a
SHA1 35f9bd28f326194ea33afe29b821a12e7765ea79
SHA256 2d244145bd758214e8b25309952dc4df2b967a872f5ffd3f8ecf031d1ef8a643
SHA512 94dd72193fbfd0616cabff36f316f74c3388d0025a609ccea79f5e88419b3fdc9e88c07b34b8329550281268ef4a4b819203412da7f94eaf42907c7e4950477f

C:\Users\Admin\AppData\Local\Temp\nss663D.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 744 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 744 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 624

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home612chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home612chaction.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home612ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home612.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\ = "MediaWatchV1home612Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home612.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\ = "{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\TypeLib\ = "{d08f6e4f-7eb9-4e56-8b57-2200f86d3f61}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C07C85-E79A-4B0E-A032-BB3BE9D18B74}\ = "IMediaWatchV1home612BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\ = "MediaWatchV1home612" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{faef50a6-e452-483d-9db0-32b4893e3443}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D08F6E4F-7EB9-4E56-8B57-2200F86D3F61}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 1656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 820 wrote to memory of 1656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 820 wrote to memory of 1656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home612.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home612.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A