Malware Analysis Report

2025-08-06 00:45

Sample ID 240403-w4rbjsha4w
Target 0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b
SHA256 0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b
Tags
spyware stealer evasion trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b

Threat Level: Likely malicious

The file 0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer evasion trojan

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks whether UAC is enabled

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnToolbarInstaller.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnToolbarInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnToolbarInstaller.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnToolbarInstaller.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnToolbarInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnToolbarInstaller.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 244

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 888 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 888 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 792 -ip 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240319-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 228

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:32

Platform

win7-20240221-en

Max time kernel

118s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 232

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DefaultPackOffer.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3904 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3904 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DefaultPackOffer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DefaultPackOffer.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 1664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3408 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3408 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

108s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnIC.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3724 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3724 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnIC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnIC.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 websearch.ask.com udp
US 8.8.8.8:53 img.apnanalytics.com udp
US 34.117.224.112:80 img.apnanalytics.com tcp
US 8.8.8.8:53 112.224.117.34.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
GB 142.250.200.10:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Alawar.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707c64dff485da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08148FC1-F1E8-11EE-A3B3-6A83D32C515E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418330804" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000dba7a41e0afdfe19821dfd863382e04eebfd65549a4c02634be1886b1182761b000000000e80000000020000200000009634702d2564a1844399b69fc2af01a5ec3c8e8b552c71b05d39d3016c8d177120000000002e616a3c7a14cc6a41842de44255be720dca0e552027e405abbccb440eb0c64000000042ae59d86d31a4fcc30a288bcb9d0a431d5dd194f91388089d6a41d6de37dae6ee5481440cfd68e3da0268e4d9909ea5a35265da2a0f3ebe5b569d633a35a0f7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000001abd58d91acaf5bd0637e5338e48aeca33d90126aae972696bb208dc18782d0000000000e80000000020000200000004d3932fc355647f740373b238cb5c15bfc63e6899fe5e7de5b892cf8abb5b39090000000ad638b91aa54dd91f1e6b1deba82ee52eedf71c0bb2ab09b3bed1a93ad80b9cb2c342f40f1f87a35cc024110388de23409e7d9ad6c7269fcc2fd8b8393b4f41174ef97a612add09714a31f778e1e80d57be8fae60784267b0acefc383cebcee9e61a7ec3e6cd77a5ab1fbaaddc254a4ec0b54eb0b8e70b06511ff6308df1316a617c0760d5e067bbad7dd233fc757b60400000003ed4fa848891dc35592bc1eb8c1fef6085a1a620d7f49124509e65954cd0d49379bf0f49ee1d69da097e09742818554b0688d9386be0eb31c943b7b8c7a653fb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Alawar.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.alawar.es udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2276-0-0x00000000003D0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4396.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar44C8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b872820bd2bbd1452da3db8c29be719
SHA1 43d6ce9f797447d2e1ef6ed39c8982cd22a7962b
SHA256 0458388933a66a695bb7ebc31260d09d15e7622da801856e80800c61562416db
SHA512 23ad40ac18bcbc32fd50c0b676d85be972e670ae352437317589a9fdf929b7dc47a9a17e3a5350306682dae492d17aacfe6819e8ff5f863772c4822fb8a47123

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbd8cce1d36ee2ee901912aa04a103d9
SHA1 0714ae80c1ac8fbe633e208c0e1475d52dd47b3e
SHA256 56bf7ac1386de131d909961f254b8d41536f7e0e88e1ddd1bc5ddc23836d9ae7
SHA512 ec2409acd1b48959708607ce14c3bc417dbb4c1c953a60b0bb0ac7bbf73d3c9ed5bde642e7433c2e3f3a9471ac9ef85bb012b515eb48e8acd9eb021549a0e8cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0725799cc1eb61ba7fafd7b6e9859fea
SHA1 5e0269ac18b20d3dd74ab0b507e2a5375e0cd4a0
SHA256 f1ecf2d19b8a0b97f7e7b88a6bbf5ba9eaaeb854ce26794d8bbf90064bc464d1
SHA512 f33398c2502b8e23c233372bd3e3958d47345e82f606d8a1b53bf21cd2aa09f2a63c210a8a0f5902a419305c4fdfd14efaa026449a590d0587cc4082c22a71f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec2bc6792211e55273acd07170cf784e
SHA1 9e05c0ad09ff22b6a99c9b7a8fb05717f83369a6
SHA256 257b943c263571bb44753d9072e61a1e84ea13ef0d94e5a477d915e58c387646
SHA512 715686444230ff107ede0250fdace7b80fef033adaab958d07465c59375d3cc434b3d6d9eb0ece15934d75c2e66404515f6fff9c8a8cc1b3c85a9f1f2c7a77c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 485fc792bf4d3e0e64686feea99ff5eb
SHA1 8af2f62bb37df823711ac70766cf969f39413867
SHA256 e3571796d3b0f815ee9f11bb4ba5fe016e289c91ea91f22dc381fb6ecad69120
SHA512 21f6bd61ddcd109daaadbb8fac53157a66ccfa7549307002daa63970ce7a1614f204b231e6e6277a31757fee33e06e47e4e96c233f3430cf0d4b045ce14c902e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 672f019fe9bcc6a77d50bf42075badde
SHA1 17052c67524543c98a58f0da15902bbcbbc4d543
SHA256 b72e4bd768fca904e483fd853091ffacc4795beecdd62a08117a151081da3dcf
SHA512 bb7f5638f17bb6318875cec1559bf200a4edb31baa9a01fc5547c63b51073146693909d46fb7db78c04139867a1ba29fb6824d29bd5adde7edc08c54f3bf013e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77446e432d3b9e8da101d178e213eed6
SHA1 733b3d37f45c492ad157a4962fd316fcdd984804
SHA256 c4bf6a80c26c7f64504074c92c89c2cd447022f425e473b6d3c35512f54e4221
SHA512 f58e92bcb4329f52cf51a678061179eb420404f14ea35d5c7f46a303ac2764a623f0534985e69c47de34aef47a6d9d461db42362db9745654cec28598b7ee262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adb286fdfa13026f47e474a205618aea
SHA1 7ceb326fe7afca3c80dc63a9c0c5938f3a37edbd
SHA256 a5d1e199e74970842b2edae4f3a5702b2bc9f1d628752995563faf5679459ab4
SHA512 0ab0b33ab2b062c5ec0c48f27ac78d29ef3badac884e396e25a9b8f166c80237b0cd3315e7b647625eae23b982d30b1e94fbb0155d69a38cf5e3c859d8866f33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e3205c3b138ef9f01df40427d7f49ec
SHA1 88af804fcdcdf8d18ddbb1dc71940a02ddfa0be0
SHA256 f34eebb0a4796f2abab258f52bf593289a1b0e6acefaff6dd449fb554ab9cee6
SHA512 b5b520415495e684bcb61e4896544628cf9ea55228f56d0e90e3c9705665eeab7337fe19ff0ca9e3b8454dc08a7cc482562b812b00de879bfe4770e1b6e00289

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a4c47deab25f1363db8f04e34ca0505
SHA1 3e874e50acbd1c21c1ecb45271e15c02a4ecd8ce
SHA256 24e47a8f34844e30a5dfaa67e05ba57197985e097944b83a553b2191bc3f650e
SHA512 a258749da481ae3e2b39c0dd3a6250a970d72016fc8041bcb949266ab731715f04426fc759fb3f8b9a8b128501d0e2d5e0ae6b1f058b24e0797e375452ffebbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 017aae2111e4d2b1c11d09ec4ed30aaa
SHA1 7baf5865196591ea9d6fc062d1bac8182c5e589b
SHA256 be1f040fa0f00251001b6fbe53ffea25277668cccb1d500868ae7b4a6420bcf3
SHA512 4786bd33c6800c8b5bb69ddb1b6c2800b7e6bddd9f2560c93ca42f460ff0e3af501c2505b7747037309f790a14f326ec425fcc846378976d638b63a5e803bcf1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4da704f8e6d93a8bbb155813f53da5be
SHA1 0a38d42d07c2db108de8bcb3788f1e54699eb3e4
SHA256 fe058db1c119d91ad440ad129e5c45c55dbe02783638ff771b0a2d47bb1dbb2c
SHA512 39531079c8b6847e92d6709015e21c5402ab2322431d711e565bb12a6b8bced54987f631b3906a45794b584d2704d610e9c6359e26e46d926508372a69b9c033

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b2fdf6c8c00680e81702c72d5f8531e
SHA1 d47c13c61d7440376c2087942ba287e45d4ddd8c
SHA256 f346badf3342a013be41027b59598ae85dce6035253c36c82c9c27711baab53f
SHA512 7183d81550349cb6e02100e173352d66d27bf4a695131e723a3c2094cf9c70f14d62b2a8831043ecee9df383f05484f1e770c92044d828a5828f8dc7460b562d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65da6005cac9b59ae9094e3e7ef0e154
SHA1 39837f52da33e15e8ad85fa029c324cd2bd43adc
SHA256 122e82037032c3e41833b85b75851b81786ed33c418f95030d6b14768ce01959
SHA512 3852d47c192dd27b94029b0c3b12ce3bada7b0ef4acaba483c738cb6b2f10f2e8e52fbea782c615800191f3416a100dbe32b66f8973bbff063358182963ce135

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73474e4318f291bdb045c6004fa1676a
SHA1 53a95c1134df47ad90aadca656322ad026ebc431
SHA256 874531612ce54b7a088340d36a9d21619d0649ab6ba17633055fd973c12c18f1
SHA512 8fea8598bd8f502505003e108c791eca8ffa0a1a7e3ffd02c4af47e2f5cc0c69a4136917656b10bb07351e49925a624b3fbb3820381a000616991ac7849089be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5736aceaa0849fbb93d12d47efd415d0
SHA1 7cf288b4a5c0110d212ec395829201d09e2240ea
SHA256 5e237034184298ff2614f44679eb17d16b1bbed6e75d8c106a245b6641d650b9
SHA512 3a5d7e39b0790fade547ccac91b103a5487c8fbbc32f8cc66f333db9acdcfcbbd765fbdcb9c64f2b7bbb5cf92f31a0e5bdd935413d45af3f7713875de7bfc253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43ce5e839341283e74ca388ebd63c1c7
SHA1 5078cb23f3f23e49cf34bcf02b6180ab8c3e6127
SHA256 23aaf9f40e5c1c0fdb89bc393b1e7c20f9cb81e005dbb84bc7dba6e18a40b54f
SHA512 873b96f47bde7e1a9a481284c0610d35a8f24fc872379d511b4b65664e2a0ed3301115615100f26fb1fcff97aad72ace339ad28ba9ca40089a0904a274f1a31e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ed3d1b0e7ec4b3e55567027bf01f3df
SHA1 50f8ba3f0dbf369acbe2d7fa80b681564e602ab4
SHA256 1f888d03fb55bd067f2f1a810194d26b8ea2925baf24af8def8ddd52733728ad
SHA512 50e9d8d3998ed88fca1d131a53833229fbff749846f5785a4268556527f601b5a4d89f7b5c74738b19e04b723305b784acef952736f78d7069866a1590505dca

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnIC.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnIC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnIC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 websearch.ask.com udp
US 8.8.8.8:53 img.apnanalytics.com udp
US 34.117.224.112:80 img.apnanalytics.com tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\$_21_\Alawar.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418330805" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04ffcdff485da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000e3d23ab20a0784766318c29c8bd9647a4dfbc9d6a5dd8cb5f3e79e5bd09e0f7e000000000e8000000002000020000000d3c57b58fcbf829e6a7cb9590c610bb12de831f7ba06fbd026dc2f5222a39dfe20000000b753f6f84adb2f1e53f94156267f1494d6af001cff048266cb73e5e361c2b3e44000000088304be94a34e07b5e5a0391fd1c0647fc44e53715d055adbcd0d8f72909dabd526836b94a63cd647c5f2a0098034a6fe6567f0d4d323fb71396c3b67c30f3da C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000fccc0bb61c506bfd02d14d567c3d563595c7f577b56570ddcaa9957871f11b07000000000e80000000020000200000002e5c38d1e159d62a9b8783612e8ce24335b765312754f6e0517f7d1f665830d090000000b460b64d18f628d097f92ea09f2f7ed67e59e8863b6c770df738e4d7a34b28bde69ee42d5732467a97c9aac00c3e81dd3334adabeffc87223aa2ac9613a659fbdd438af5fbe1581d821a0c43b7f3dde4a0c2ae392831dce4bd3a365895ff37693f48635bd2cc3c27a9179cc1c7d887e240c155b2ec923f00a8b05b646a317f2b3c792cb351ce0c880d96339535c6a50040000000080fc34679d5901d50e8eca6679e099ff42934965f53486d47e5c29c36f24e2bd03a106f2de63363a424e36f87853f76e9bb60e181ac298c6bc13191c354224f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08AED3F1-F1E8-11EE-9340-6EAD7206CC74} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\$_21_\Alawar.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.alawar.es udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2920-0-0x00000000001D0000-0x00000000001E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3BBC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3CAD.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b30e68a008e58f6e9ee7424af35e4fe
SHA1 5f5cfe58c31e15d828adb72b7481f48885266995
SHA256 f2f98bea57a5fff649513ed8fa3255ca3933bb3118a81ace213577cac2f5e06f
SHA512 0f703cfecfe1aaff114ee50796384fa17742b4a752bbd1f75cbd9542023a00878c0f804db3f297ac95f8b0586bc82e1074cd1e3b39b33c48b848133d6cc5fee5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23ce733c9c6a0ef88ff3360b338e0dd4
SHA1 d5639157b571e09d2e2622d66d3deb79b17683fd
SHA256 2e9fa233c016730addb7cd5ac4f12639a796b2138c5fcc8fd463389a006a46b3
SHA512 b14df0bbfe610380b2d691e0b5c02f14055267214b680168fe7bba4d611c315a9c18868536b574beaf904db42370043363b7e9ded3f604fdf7f86fcaa4d3ad7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f457534c753cf68e7f486a7844fa2e2
SHA1 749a0eaea965835a0ec4d66ca740377ee00f8993
SHA256 d61980fc413d9c493bcbe7765e09a66a572940cde91c13d7daeb7a58e841bb56
SHA512 6c687f7aa3a5a3b181cd87d7ad43044d6ae32c717de046f5b188231c446dd6fbd10115d90a9a798943a94981002d5eba6af8d40ece579316d65ef1967560bb65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82bb198c11681d15ee07d7ed9102f783
SHA1 14435ed041c87a1f0b517dfda0f1fc116ae0e25b
SHA256 4ce11024ccb90b75bf6d9aee15b60a680efe4b585b529f7ef630b63e8657abf1
SHA512 37ef096c905cb3f7665c720648952d54db70f565d32fe9c9526ccefab265ebac16beddc4806bb078ad7a72a97acdf00d74fc4eaec8a2314cb6bfa2862c26ec21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c0cef66d6e18429a10109023bc42708
SHA1 e3f50bc9ad40f91479cd72c10a952bfd7b159a4b
SHA256 ee7331c4c1d46aff3a86af752a688131a118b06977accb6f38bd133e06fd603e
SHA512 cc59884541a7f975c4c2361dfaed8c75f9db9b9f3adcb552a3fdda5ebd2fc27ba30074e2aedd64f9e727deb0a2e9496f15583a11a45b9087273cc44488938c49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 054194a7b32dab8dbdee39b3b5d79b86
SHA1 dc20387f75f393bc6ab5fac25895d76931953653
SHA256 5c2c4eedab06e4b02fd62748490629976732e95da38043625a7c8ed06d727484
SHA512 a08a9dac2f3c624f24bda19aa835e8253fcc4283cd81c354a09c8c84e7ddb71a98bbdbd6e4a6215139f967647456ec527f23707bf2de6269a340035207a0ab7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8eba4f9e528b2e1f1eb44094dd342c9
SHA1 fe66289e1d0f7f80fc9f47d7c8cf8d2a73c788ec
SHA256 9e146869b00c4b8e23685aaeab2f41f9be0955f420d3579535f29c3c2dc66881
SHA512 d2ebc8fb15098e78f04a6c6218913b33f7f4e9e27f0009816b0b3d9c06f2be97612e2cc7e66e00185ebd2e235d5993e24f719a428b41e182ce19d1c86e2fd3c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 401e2a12d998504fced67ce3b6833df2
SHA1 88277530de49d56c5be89487a8e98b94ad9ca471
SHA256 6413bb01fa47e8631531f8e5fd120403b050f1eed98c6428ed178ac71d7f1cab
SHA512 00fefabf433c1123a32108a112127ac33ff4cccefcdaf68772aba4df38b72e5e7598afd0fe5eab9b350b827bd3ca735db92b88e15bbdf23cde74afb9b0ff0be8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68b0e461f1a6cc0b1acc8b88fe40c536
SHA1 7f5b48ac0f3b5a3422035298edd3669f6c95df89
SHA256 24b7f907dde1cd3334dca6b379eb708758830bd75b6e195dd14765f3e08fa781
SHA512 e24d1ff6612e459f6b72e10e8057585c9d9b29180150290c62ba5b125345d687b3cad031579b203645346828d65e3b0849d3f7756b0db995f223d1330f91f8d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a41851e9ef787f8a26ff8c9289b275f
SHA1 181f7394b9f9620c983a2d5cea15c0cd2d042e7a
SHA256 f7995231e2eef24aaeb7100b57aa2373cbc9d24af43ce73a0e79afb59c9b527b
SHA512 d078b2f7199192bddf77942f86acfb0b702b97f95bca7c463dc4ca89aa6f841107090d03d330e54bb14af230d309835642a4290c1ea246e0855c876d7562b9a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33bf826d219d5acc2239235bff168b4c
SHA1 ae33493659547755759c909cec9e6e63a6df1c47
SHA256 9af573d6ef2bb5839e98472cdb8b238603e3450f3f8293f26ba631213b60cfb2
SHA512 69a5bc510c639021f40b9b1763fa4cea48157b23797bf9646e05786d345eadc010025b5b32088381861887e7ce69f1bae2aa3beb34859f630761ecdbb9c501f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00da39c9056350f2b17bb63852e96df3
SHA1 19ef0eb340bb03a9ec982330d9a220c6d6d2d782
SHA256 ffef5b96fb12f9943283a33f94bdb9c91a210a296085ea3d4408fbcf073d09d6
SHA512 acdf1d57d20af5c13a7d1f1445241327b674fcaaad3bfc6667dad62fbc07362da4a0fba67f3ff091f1e20074c03f4d6132090d182da35bcb3f198c42a42b9202

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f0dfe38a42e0dac5f5ce2f03da71774
SHA1 b0333ad779bfd1e84b6eb7191da86d2c5d8836cd
SHA256 9ec123f4d0648a2369ff08d18ac475f7c8ce92d859e4f67fda600df876678c07
SHA512 9b8f81634ddf7f9a6d433648bbdce8ee9459cb910aa1628d4a3644cf35d3aa2697c29e296959b5d9c42861b4ecfe35c43a1d468b4d4f9618f3d40ada9604eb15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c57225dfe2ebe300c24daeeb101bbb7e
SHA1 ebec885ffa9967a58ca23e236a410dcb464146cf
SHA256 116951e755463678d996f60039784ec263c85c7576500cc970db969b37f4562e
SHA512 1e07d93973fb9f5890ecb2b9b358864e4c1f09ffc834e78e0de7e6d6f2820f7042a5b00cc273a6967df7df9819a727e455616f2500abb52687b4ffb1cd061e78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fb770fc0f6dabec9874252bc3a1d002
SHA1 388e6d627802e850cc5e8abaf676645d3d73e8a6
SHA256 00c1f2f2a5346dfa1884d0388297b532eb589c5fa6fac068187448dbcd329298
SHA512 07a0eb21f602dfd72aef08ce23e6a6cccfa9585c34ff11143a7e0d101db8fc8443587275c6f2b558e99510c50b41d451130d868896e8686cdd2a2fa7e4ef0fec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f60f122106ee3fc25bb1c6ad3353adf
SHA1 6876aef9f5e1cacc7ae4037528050fa303edf902
SHA256 ee5175a2065d931cb66989b0b57b3326a7b5bf80e90c89d506121d91b043850f
SHA512 1a1e6ec6bffd2a3a97c729c12f19c261861b5ede093d9b1f626f1fc9566216a332b7a4e6a502c0ec454fcae174360bf488e982bfbcb688a22152231518d04bf5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d80cac3f1cc25c2f54bb69dfbe5aca7
SHA1 254680a5f72af79e8ceb19670f693ca9c5742048
SHA256 9569140274547a00317d40532bc5e9e8fe225f137847f76456cca25a3dce4daa
SHA512 45b03e1cbfbfd4b2efeabe07c005fe6fae91e70e8020345fcb85b5a81d20ac5e05ff0b0b7f3640e81b8d3e51c399943b4a1faddb89d54dd5136c3b62c259af5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9de98e51665e74108b9816dcf8505e0
SHA1 9bcc03e54b36c02d25fa59c975229e1e44f267c5
SHA256 d37422bb38497886c07ff279b16e6d31583ba51a8cee67e39b701917f4de30f2
SHA512 fb457d48cfe72e368f3a23107ad1c5550ed9df71191466ae03ea74d3bc05b3aa5830ef3b49569413c80b4786cb0424e56a0996bf9b3011156fe7c957efc857ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9c84ff797056eb8f61f10aa4acced06
SHA1 eb08c4e862cb29224480a11a00ea04487db86652
SHA256 f1de71b46bd93d999cb6d3c302bed945493a927e7851f012d17274522ef68db9
SHA512 205dec4fe2b585db4208510d303059a2f31786af6bf1b189ba04826a23cd1d690755a35310ce174735262ab2c6d20fcb8ad64584410384c3297c62d54638cf03

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

132s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\$_21_\Alawar.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 4596 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 4596 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 1600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 1600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4596 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\$_21_\Alawar.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.alawar.es/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ac0f46f8,0x7ff9ac0f4708,0x7ff9ac0f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13771728232569332289,6125839683936555137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4176 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.alawar.es udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1eb86108cb8f5a956fdf48efbd5d06fe
SHA1 7b2b299f753798e4891df2d9cbf30f94b39ef924
SHA256 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512 e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

\??\pipe\LOCAL\crashpad_4596_YHFBZQJOQVRYXAEK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f35bb0615bb9816f562b83304e456294
SHA1 1049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA256 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512 db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 839098072c857781b1d99910439e3f5a
SHA1 0cb020ada61fcbade987d84905a2f5f9b90e4865
SHA256 f335cca15e5d4045afb08e9dcb04476894742056f11479070ecceb3c62ce4b41
SHA512 c814f347550157fc2b5d23abdc37598db1de1e3b786db2fe8ef5f7f4d7e673b9d0add1d5f6e8b78b31729b6821d2516877a17d7e7241c2a61facd95cee74ab72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8c25fa4e2d035c38f16c8f46857ba76b
SHA1 a19344067b3723b2c24bb6907a3509203a606f6b
SHA256 26913c7a1ec7552e15420749388ef7ea1326dffc54dfbf66a0e313aaa719adbf
SHA512 f7045819f5d835d3698d4556a276a59888bec4b488b7044ae52f2e111031f1c1d9708dc7ac758c8f33c7e66dd3f18d63e32610dfd4a3add10c0e610b34f34f1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 681a5d6ee64cb6f305c1e30fea79ac77
SHA1 2bcc9bc7528f1089f8abe6f3bdd276aaaa0da99e
SHA256 5c5e5dbcc526c727095e394288381b559b9b238d97a9bcdb4ddf64a23d315539
SHA512 957fd2bb835f3f22963178281004ebf78c7ac0e85a30892a65998b9b44f7e0b1ae9497857f7f825c98b070333f6362ed76f723d4100561f53d1339dea343192c

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2144 -ip 2144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 156.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b.exe

"C:\Users\Admin\AppData\Local\Temp\0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b.exe

"C:\Users\Admin\AppData\Local\Temp\0aa976dd2023c98efea0a3bde2c2e390b85f06400730525a4a4d1db863c9064b.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4036 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4036 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 232

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:32

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnStub.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnStub.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnStub.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DefaultPackOffer.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DefaultPackOffer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DefaultPackOffer.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240319-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3352 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3352 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:32

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

178s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 4968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4744 wrote to memory of 4968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4744 wrote to memory of 4968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 636

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 4276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 4276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 4276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnStub.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnStub.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\AwrAskToolbar\ApnStub.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

162s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Alawar.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 1688 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3172 wrote to memory of 1688 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Alawar.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.alawar.es/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff857f446f8,0x7ff857f44708,0x7ff857f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1293977703612880239,298404709166880286,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.alawar.es udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a774512b00820b61a51258335097b2c9
SHA1 38c28d1ea3907a1af6c0443255ab610dd9285095
SHA256 01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512 ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

\??\pipe\LOCAL\crashpad_1688_ZZLZMBIPLEXKMKBL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fd7944a4ff1be37517983ffaf5700b11
SHA1 c4287796d78e00969af85b7e16a2d04230961240
SHA256 b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA512 28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 13a047cc63f0cc664b6827829a039bfc
SHA1 7447f2e8fd7c2f9c652bb03b89d0b6cabb793776
SHA256 ec24a4544b34e22fa4e38ea17a1bb66949d1b49a25ecf16bc49fb0f1739127c9
SHA512 c2f4cc572f27f9ba2030deb4d476a59ff36edeade6444acdfc8b39caf42859a51b7fe971159fc78b2728e600188fb3609c5679187c2e484aa0c0c2fb8c9ec491

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 74b6dccdc83b3e65a7974824ce7f4089
SHA1 c3e82275d1bb40045a35e67edd207cec79354d47
SHA256 83ce292c010343381cb3836ab922ee244c7fbfe05c581f23c7a69ed667b7a8ed
SHA512 e6bbd4b9eae4f0a3708f34c98f202bb805c241d7925ecb8b1dd37f4b8a642648ddb2a4d015f200d6e06006d6399c847e4b90188c5d7f5d7adf47028456734df8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d294b1b7d1fba7d54546e1355b975d1d
SHA1 7c8c5307dd0cfa48c80255317f584cf884da5a1e
SHA256 254b377aca0cd3c8587cf558e06f2e2a730c476835a995be2eea0349e9969e93
SHA512 16b3f174ff0f0574f526ed01acb2edd546033d068e079e547b6d6b636e87692a6d515ff95018bc115e88ea711cd935d3709e34d2fa42a12c277c6fb4c09422b7

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-03 18:28

Reported

2024-04-03 18:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 240

Network

N/A

Files

N/A