Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-zjh18aacg8
Target VirusShare_abfb01a66ce9f58efb046a181a0e83fe
SHA256 dab2bc2dbbc75f4acc79370c9199ee22593620f2e468717485709661d63cbb89
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dab2bc2dbbc75f4acc79370c9199ee22593620f2e468717485709661d63cbb89

Threat Level: Shows suspicious behavior

The file VirusShare_abfb01a66ce9f58efb046a181a0e83fe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3808 wrote to memory of 1560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3808 wrote to memory of 1560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3808 wrote to memory of 1560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1560 -ip 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

123s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ie\RichMediaViewV1release45.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ch\RichMediaViewV1release45.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\default\RichMediaViewV1release45_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\default\RichMediaViewV1release45_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ch\RichMediaViewV1release45.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} = 51667a6c4c1d3b1bbbc8c6338cba800bb56f8e5612878007 C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib\ = "{04649e5c-7e53-49a6-bec9-62a9a1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release45\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release45\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\ = "RichMediaViewV1release45Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release45\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ie\RichMediaViewV1release45.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso2CFB.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ie\RichMediaViewV1release45.dll

MD5 322fa7a3c9c2507d4c53e5a1bd6dd774
SHA1 b0cd9c6eaad5569a296e607ecaaa84d5df3511e7
SHA256 21db324b3c5141e45d240428a0c80e256cbba804265aafeb81b3897b2ae09633
SHA512 4a34f3f962a631225c4b6aff7838d0389dc2fead2cdeeb71257fd33ecd8529519943796ecd79133e2892deacc15e32e50548bf69358e498f9b63bec4fc99ee8e

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

121s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release45.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\ = "RichMediaViewV1release45Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib\ = "{04649e5c-7e53-49a6-bec9-62a9a1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release45.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release45.dll

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

132s

Max time network

169s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release45.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib\ = "{04649e5c-7e53-49a6-bec9-62a9a1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\ = "RichMediaViewV1release45Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 3176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4576 wrote to memory of 3176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4576 wrote to memory of 3176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release45.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release45.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\default\RichMediaViewV1release45_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\default\RichMediaViewV1release45_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ie\RichMediaViewV1release45.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ch\RichMediaViewV1release45.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ch\RichMediaViewV1release45.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\ffRichMediaViewV1release45.js C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} = 51667a6c4c1d3b1bbbc8c13e80b88506b76d8d5612808c00 C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release45\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\ = "{04649E5C-7E53-49A6-BEC9-62A9A1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\ = "RichMediaViewV1release45" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\TypeLib\ = "{04649e5c-7e53-49a6-bec9-62a9a1990057}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release45\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ = "IRichMediaViewV1release45BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\ = "RichMediaViewV1release45Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2ed0d4ab-eebf-42ee-a864-cf1611c5cc1b}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release45\\ie\\RichMediaViewV1release45.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04649E5C-7E53-49A6-BEC9-62A9A1990057}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAD3B54B-B3F9-4FF4-A8EB-31FAE954436B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_abfb01a66ce9f58efb046a181a0e83fe.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ie\RichMediaViewV1release45.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release45\ie\RichMediaViewV1release45.dll

MD5 322fa7a3c9c2507d4c53e5a1bd6dd774
SHA1 b0cd9c6eaad5569a296e607ecaaa84d5df3511e7
SHA256 21db324b3c5141e45d240428a0c80e256cbba804265aafeb81b3897b2ae09633
SHA512 4a34f3f962a631225c4b6aff7838d0389dc2fead2cdeeb71257fd33ecd8529519943796ecd79133e2892deacc15e32e50548bf69358e498f9b63bec4fc99ee8e

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release45chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release45chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:48

Platform

win7-20231215-en

Max time kernel

122s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release45chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release45chaction.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release45.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e3060e62ffae169cdd7697724969b782
SHA1 f6d6e508ae0ca90e95728e47fda796dcde327eae
SHA256 119ff5d8f893e9543e07969ed9ec031c32ed2b73f5ca6c5a10ec552499c7694b
SHA512 7ff9f9900e2d9ee6b3cdda13aa60fbd658f66a0650505fafb51b0b4de03105bc03751864c0f966e52d98a9944a160e2daf9b07464cdb37a3e566365ebc0a49fb

\Users\Admin\AppData\Local\Temp\nso6079.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 20:44

Reported

2024-02-04 20:47

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 7a94a5fb85a56204602b977abb69972b
SHA1 fa1c814a1ff40d3a407933b3babc90ee3f9884b1
SHA256 bb6012c88148ad61a3a7f7a2926f37e5a9e50c9e63beaed2f84f0a3e661c806c
SHA512 9a8d7dc379e175ab93c37202ddc525c34924c6397ab231f2574c1523ec6ac11f2090e5f3221d5fa6f74bb08d861ed8b6a9ca084ab45f9338288e9893c3007fd3

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 0c191be2550c21f91a0ba85ef2873083
SHA1 b4274396898453cae20a944060458f81cc4458de
SHA256 28c7f2f1346e5e0376795863940eea4ac4990aae3847f90c16595b265a4ebd0f
SHA512 a2834812551a5df69d208475d09ea97bad7c39b5ebdb7aa3c6d90c07e5887bdc528571f3add7efac322bb303614df1469903c824e4203616c77bab18b314308b

C:\Users\Admin\AppData\Local\Temp\nse6B0F.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab