Malware Analysis Report

2025-03-14 22:56

Sample ID 240406-1ztnbscd3y
Target e363d99fe6c79c0ddd88a5bfee78a9e5_JaffaCakes118
SHA256 ced01c2fdf38bb8fb9dc21d06543d7033cd31de47ed293723736b9bbe0410162
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ced01c2fdf38bb8fb9dc21d06543d7033cd31de47ed293723736b9bbe0410162

Threat Level: Shows suspicious behavior

The file e363d99fe6c79c0ddd88a5bfee78a9e5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies system certificate store

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\Gax.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 460 wrote to memory of 3216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 460 wrote to memory of 3216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 460 wrote to memory of 3216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\Gax.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\Gax.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\GmAPI.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\GmAPI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\GmAPI.dll,#1

Network

N/A

Files

memory/2912-0-0x0000000010000000-0x0000000010050000-memory.dmp

memory/2912-1-0x0000000010000000-0x0000000010050000-memory.dmp

memory/2912-2-0x0000000010000000-0x0000000010050000-memory.dmp

memory/2912-3-0x0000000000120000-0x0000000000122000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 228

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\AppPlus.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\AppPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\AppPlus.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\G.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4920 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\G.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\G.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\P.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\P.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\P.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 236

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\P.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3456 wrote to memory of 316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3456 wrote to memory of 316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\P.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\P.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\xml.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\xml.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 1e5658f370dbe9a8d29b670c048c819d
SHA1 ac56563cec5f7d377a4aa78b8ddf01f96fad01be
SHA256 e8f5aff29d87804afda0880eff3028d0fb186ef2f19507251bd1ff4817f9a077
SHA512 71af6a48703d6e280e3b80deae471304dcf30a6f2f4af7d685eec774185ed02d46f3179f9d6ff85a7451e0cc2f74c8092fe0e22f6c5e4e0739da7e7f82092c69

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Network

N/A

Files

memory/2044-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2044-1-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 3688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1448 wrote to memory of 3688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1448 wrote to memory of 3688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3688 -ip 3688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\G.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\G.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\G.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\GmAPI.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4492 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4492 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\GmAPI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\GmAPI.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp

Files

memory/220-0-0x0000000010000000-0x0000000010050000-memory.dmp

memory/220-1-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\xml.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\xml.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 1e5658f370dbe9a8d29b670c048c819d
SHA1 ac56563cec5f7d377a4aa78b8ddf01f96fad01be
SHA256 e8f5aff29d87804afda0880eff3028d0fb186ef2f19507251bd1ff4817f9a077
SHA512 71af6a48703d6e280e3b80deae471304dcf30a6f2f4af7d685eec774185ed02d46f3179f9d6ff85a7451e0cc2f74c8092fe0e22f6c5e4e0739da7e7f82092c69

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240319-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe

"C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy37E4.tmp\BrandingURL.dll

MD5 71c46b663baa92ad941388d082af97e7
SHA1 5a9fcce065366a526d75cc5ded9aade7cadd6421
SHA256 bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e
SHA512 5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

C:\Users\Admin\AppData\Local\Temp\nsy37E4.tmp\ioSpecial.ini

MD5 24236bf1f494e860a7257f44e20a81d8
SHA1 0e16a2ce0bec6698721afef629d89901ee2080d6
SHA256 d8c06b4e736d825566f8f81ddb7d0bd059bed889194ea68b426b960575904cd3
SHA512 4373155b0b8c2d822eb1d9336ecdaca77753af043c65913614a7e790fc8fd7fa0dc827a80da1b2387d0fc52129afe5eee06e07647c5bdd8c936daf7f2fdb6509

\Users\Admin\AppData\Local\Temp\nsy37E4.tmp\InstallOptions.dll

MD5 107737e3282fefd85684f2fa3df6d1c3
SHA1 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA256 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 232 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 232 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 244

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GWM.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GWM.exe

"C:\Users\Admin\AppData\Local\Temp\GWM.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 www2.gdmdst.com udp
US 23.231.61.161:1080 www2.gdmdst.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.gdmdst.com udp
US 23.231.61.161:80 www.gdmdst.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 161.61.231.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp

Files

memory/2272-0-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2272-1-0x0000000007420000-0x000000000743D000-memory.dmp

memory/2272-2-0x0000000007420000-0x000000000743D000-memory.dmp

memory/2272-3-0x0000000007450000-0x00000000074A0000-memory.dmp

memory/2272-5-0x0000000007450000-0x00000000074A0000-memory.dmp

memory/2272-4-0x00000000075D0000-0x00000000075E6000-memory.dmp

memory/2272-6-0x00000000074A0000-0x00000000074A2000-memory.dmp

memory/2272-7-0x0000000007930000-0x000000000797A000-memory.dmp

memory/2272-13-0x0000000007C40000-0x0000000007C5B000-memory.dmp

memory/2272-14-0x0000000007450000-0x00000000074A0000-memory.dmp

memory/2272-15-0x00000000082D0000-0x0000000008703000-memory.dmp

memory/2272-16-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2272-21-0x0000000007450000-0x00000000074A0000-memory.dmp

memory/2272-23-0x000000000B500000-0x000000000B5E0000-memory.dmp

memory/2272-25-0x0000000007450000-0x00000000074A0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\Gax.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\Gax.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\Gax.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 260

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

108s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe

"C:\Users\Admin\AppData\Local\Temp\GWM_Install-v110901.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb7BF8.tmp\BrandingURL.dll

MD5 71c46b663baa92ad941388d082af97e7
SHA1 5a9fcce065366a526d75cc5ded9aade7cadd6421
SHA256 bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e
SHA512 5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

C:\Users\Admin\AppData\Local\Temp\nsb7BF8.tmp\InstallOptions.dll

MD5 107737e3282fefd85684f2fa3df6d1c3
SHA1 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA256 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

C:\Users\Admin\AppData\Local\Temp\nsb7BF8.tmp\ioSpecial.ini

MD5 f1080442c642cd81293c7318f7efe77a
SHA1 091fff5d2b2b69c32663f6249b05206a1581d7f2
SHA256 071614b4e7e7e01e6885e993f898ad6a201bc0ffa6c7330aee99cbe9e8150957
SHA512 9b4909c770a2ed73125eed7e88f2f640461d06e886a3466f4f032f8f760bc3c42ce16372de12d846c59c72cf2f9f623ebe1c5c98bd896bef3414cb2c715d9ff2

C:\Users\Admin\AppData\Local\Temp\nsb7BF8.tmp\ioSpecial.ini

MD5 9c02b6f9b9fafe3b93e681dd54d12b70
SHA1 dfa44eedfa68b1a931131a7326e7ab0b1de9d3ce
SHA256 44bbb5a375ec281c3972df497e9680af58610ef70445c08f3519bd9fbf9b8544
SHA512 a3ec643009214fa97b39aa3fe9a22217ee8d16e67d5002973427e7c44bebac3411949dca8861e12104fc0484b70538cf564a73e1842e304f01662c530202e45f

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20231129-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GWM.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GWM.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GWM.exe

"C:\Users\Admin\AppData\Local\Temp\GWM.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www2.gdmdst.com udp
US 23.231.61.161:1080 www2.gdmdst.com tcp
US 8.8.8.8:53 www.gdmdst.com udp
US 23.231.61.161:80 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 amos1.taobao.com udp
HK 43.129.2.11:80 wpa.qq.com tcp
CN 59.82.122.10:80 amos1.taobao.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.248:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 pub.idqqimg.com udp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 163.181.154.248:80 ocsp.dcocsp.cn tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp
US 23.231.61.161:1080 www.gdmdst.com tcp

Files

memory/2240-0-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2240-1-0x0000000002BC0000-0x0000000002BDD000-memory.dmp

memory/2240-2-0x0000000002BC0000-0x0000000002BDD000-memory.dmp

memory/2240-3-0x0000000002C30000-0x0000000002C46000-memory.dmp

memory/2240-4-0x0000000002BE0000-0x0000000002C30000-memory.dmp

memory/2240-5-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2240-6-0x00000000070F0000-0x000000000713A000-memory.dmp

memory/2240-12-0x0000000007560000-0x000000000757B000-memory.dmp

memory/2240-13-0x0000000002BE0000-0x0000000002C30000-memory.dmp

memory/2240-14-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2240-19-0x0000000002BE0000-0x0000000002C30000-memory.dmp

memory/2240-20-0x000000000A370000-0x000000000A450000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar8DC4.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win7-20240220-en

Max time kernel

133s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Help.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000363d075b9d6ba086c2c129c1cf1c3218c8103c47fde054b6b3698c529379efc6000000000e800000000200002000000021102d27b643e34f48ed3ae5462d9f219804e02077c9c58356950165a4bb76ca20000000139e0c51a03287037e4534fb0e1b7efb920da2626f5f4028f9abcdb9c8553a2f40000000399819f5b70e692d8f3714eaa7b13fa97c4659827fd85b22c6ee181008563d0925c3ec7e2ef361553553df140f7bc7e8a59aad73771df5441730ba9c0c3d0a0f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807f88a46e88da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418603011" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D00435F1-F461-11EE-8554-DE288D05BF47} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000fc0935029cfaf8bf86242f73b4d49250cb237054a8473d8fdb603da805369ff9000000000e80000000020000200000002e3160b7f597579ffc4793e36c8db22270f7667a22a009009ce43175e168108490000000dbe7f2f83ef19135722368cdc7b7a1b8017871af1f5083e9a2db90fe86f26201244c70ac007760cf2caf6b39c6d38c297d4e5bc6c574c6e30c378170bbb5c3958beadae90dfb4bf4e9d5322e5ad1c40fd51c9f39998347ade870c02b826e636eb5277ed3da76a8d214a8ebc44b6d49da55a23a9fd9fca95975c8716865173f4cdb97b1a2097da174c55c7c19f85497014000000065dc0edad226f49fd823bc41dde7b0c25252080dcc7f8021c1fc9dcb2c7d20975e1ebf512b1487dace68fb7d60d783a01c7b5696e49e7159f0b0ac9d03536195 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Help.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2138.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab2226.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar223A.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d53c4c4ff06ae85444ada048f220fab0
SHA1 cdb6a32f4006bf5a7ef7e112bd619968b20c4793
SHA256 77a4e7d353444b4d35778144769c28c3df79d81ff461cbf7be61c562e3374994
SHA512 d4d15aa99b64dad5fd7d10bcc4e68d1e2887fb3966aad2cf91e18bfdcb6e002b5ca726ac5ba009c009d86980218f4d5519ff0e8a0dac3b78513831c9f609bebc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f61a00e29a75244bed193b97094db9a
SHA1 0daabdc3e34f8b633fbf8652de8cdf397defc6eb
SHA256 d48bb87490aa64b26c410ae516b6b3a06cc54715b645de0a418e0fa583074c9a
SHA512 b8fb94a910d9c37bf0b81a5353d3b255135917774df2580ba4476b4dab4a52dc108dcd6733148feaa5e06ae793ca5d51ca592b272bf841b8c9c9b511ee18a368

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55cd284198c978a6664293d5cf6ccc60
SHA1 d1b3541f11e711a4ffd1fab251e093c6b8a3dd21
SHA256 e96f0bca403ccd527bf131f27098fd1c439b3dc9f144ea5a9e8b1bb0acd61bf9
SHA512 187d58a7f28160535be541ffdc4ead8ebfd0c6b3faa61503e9205f1ce378979e5df82f557ad4f35595365169052bc9b24196256b6ddf3e98bb321e717988c0b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4db5093540d636a798557d2973762fe5
SHA1 b55333501f3278f379ace31a22f2250bf04e3d94
SHA256 43ac84e1789ee567078421e5d22f21eb8e014d47bc8f93adc2225e729963c9b1
SHA512 07307ac13f2a0e76be32e9a21e6bcfe5d971a8970eaf90c354119900957d3c68abdc5a0d3474851c0da8e3b37afbf33315bbd8dbdd6ff403042203511cf06b71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4b678375145eb605c24d5c9fcf1576f
SHA1 653cfae09b1099aef490f3ff9860705d1b48e270
SHA256 dd0205bfe5fb0667d39de465c25411409072afa636982d69ba7c6cde0eb7fccb
SHA512 68256cb321cf28f5c95ede065d1b0a60e35a975c32c5a93752425318d4f4de0df9e650fa1252621fb12200b3f38a3daba84304f11bfdc0ac0bb8986f6ab5c2fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 559aa4ae6814dc01a04947787e89cbd7
SHA1 ee3333915df8972987b0f7dd9af9d11398577c3d
SHA256 82a85f4155624f4b031c34a56d9457c70494dfe4a2d085aa250385ceb956c969
SHA512 d85aea0e039755816e7ae045da562eea891470f8f5d8f8c7d2752f86359f72a47c8ca7808a281b6f552fb601ece0a9b8b92e99335a8de2306014e89ca519552a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2b870b3f2f0826e4e9abe92c49ed92a
SHA1 78555c9ce7b680fb35decf48c3cf69de9e9671b7
SHA256 5df16bee37f8056aea65bba8aed336c2d558b28c5949caf25dc71285f6c376c3
SHA512 280a2a8b2d8248a287bbeb627ad8da835752b5acd24e293766713eb12340a7d30267df697287d5939acafe3c4d90c9ac273bc7ac23307421e1010be907c928b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2beeb8ae00912651963f5e4da81c64c1
SHA1 39b8a1a109f1d412adeded3892c252e147db352e
SHA256 1c59d14a87e182e01aa61b3639a5ca069d8d5459fa75a4b76610d22509bf11c5
SHA512 da2bfc6fca829accf15810e8c5cc6b581e208dc8ef57ec02caa45b80912376d52b41a11fe497a32dea3f3617e85bda3739e137f40c2eb9e7df3abe48503c9255

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ef922af9ac7625d54ee77706fca12c2
SHA1 fa59991025ba8b1165cb056cdc336e00aa36f965
SHA256 6415ba9092fbb42bbca9f80fa769e14f6e64d5f1ed5fb2943be087e340e22d95
SHA512 e01c67149ca7027f2c658b1de9e686ec6401cb4acd598fb01d427d7ed4bf114eaba42bf4a4ee1177488f88608397fb2047d2164a3d7d44a240ee17bfd75aa4d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f5ab639c88dc1120948955158011053
SHA1 8f3f00b3868d62ee294ed872388cd9359d02cb4d
SHA256 143f999f34b9a89eee72b86dec2fb0200b275a8575ef7961ce8ac1486ff59a4c
SHA512 70a57c48fd0a34cb0810718cae9882926a975f59ddc5eda3b81911f4c7c041d8fd8ffdc6b21b7fdc13b3ebd6eb23adb3a6556d7fcc59a79098789ac1319ff7b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4295b80ad9d8a38471dd7bfd002c5073
SHA1 2aed81c443fc01ef9f0d07428c1e8dc437e4628d
SHA256 3af5550f64f76afba90fcc30a05ff6c92e5e9c76f93193e5a9a755ac3d1ead56
SHA512 1109d5fe297cb94bbb465f57978789d57545220a65ee997dfb25cbab8ee3ba2f2affcbb54f4238eaef667465c7cda7c0b7044e08ddc7bfea1b2e9000f7c11c25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c5d920d7ba4af2f50e57cb874ade927
SHA1 4d1aee14ca9860ec1cb67e423296abb40ac97ebc
SHA256 8afe5e660bc7917d3e99891f0332f01b3f7075982e891eab77fbeb6c0fed9d74
SHA512 ecc0865d5c391f80baed767dd9ceccf2c877bc6696318cb0638fd3efee4109c4a09e3f791c3b37a3f023c608d8fc801bd51e92d813d26ecf607a4743004b5218

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 517962639d8eff765bc6043bda653a8e
SHA1 b98eeaf0e3c6018339211b3769a82937142b85f9
SHA256 410b3505e2ac2e3ae08eb112cc5e7c6c9ad4f988be44fc6289fe47e799019570
SHA512 5d25630998727bccc03f45fe99519af973cc6f881ff3ba5cc23aa38245df28dbc9f90e1c5a74d443952d81e2f1f02957bd22cf598a8d9640fcf2da5e5b075c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd643f4bf5bbdc0c6afaffc5ecd690c7
SHA1 4150e1d94e02965b1585140c0ddaa1b8c6348d55
SHA256 d237314f9dbeb4e0ffcf7f5273dc9d3e7e36bced477a9c869b1f405dbc42a096
SHA512 1d4ca8324675fbd9055b17d120e37414e87342a0ecef00bd10608dd142243026ebda3ddb38b5f6523419d3d0f4e8f6ee5b2adb329b547957fed0668927589abb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1a7309a93cd986444ca9ed602cc15f2
SHA1 d517690933c0fc0370d99cf597f637d35a73256f
SHA256 35cf0803055c2d3b5ca5de511b12e806472416e9f89d570cda9ee1f71bf6870a
SHA512 3fffc798137b26e465549033f4feef0fe867f2381eca58c85b9b4fad8966cbd1f60307591900ca55e503d8084297d27781253dee0fb4ae348758e9db28688d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01659a9511f39a8917293c25cac50d0c
SHA1 f4d7f235bba3c0797d5859b4c9d1750a72ea3811
SHA256 721b7503c3ed2c8083609262d1a73063d533efd68b67eb82b13a293e54304d7d
SHA512 fe57e796f91bef63924ddae71f61a2a94b5ae501e94afa290443b6c116b348342e492d48dcabb9fe2eb2af4df65971b659bd9026aec5072647614dd9076a8652

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81257b8c7e6e3d499b533e00d4b64291
SHA1 88d5be46daddb01c4b74b02e5dafe9dac6d96386
SHA256 c3acb0e78db3b9c12d01571584f6ab7a3eae6e69cd3170debcb61f3d38422a2e
SHA512 32ad00c285c075cd708b34febaa3e9d065c07c527f62c22497a5665c8d8cc4c37925eceab77c6dc4d12385a8452da714019ebd080eff910670cbbd137f709e6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad4b97c11199bc0a28167f5825f6ae98
SHA1 58c0968cd73cee0672bbf5ba1254dddbcc9929dd
SHA256 89d575847b95f1179eb4849e1ba386ce4a62a1305ce83e48d5d28b62278af5a4
SHA512 5db6b4dcc47f426bab79014fba9f21c57d82044a86e06e3449322577ce298c9506aab92318872adffb0b382db4e823274c2a006dcfc017ed4f0b0ff92d463ac9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 005d362e112a9c032557076d1e51c473
SHA1 750ccaf1ed6b7c2c1238452ea2aebf369af713e7
SHA256 0f11b81fbe32606c0a66fd113b2b1df3be4ef5e11dca6492992372598600fa72
SHA512 d9c0d0177d3a30e4072f68229a9f0b88bbf2973aeb5b33b2e69756f9735e3eb7a73220110227303544b6f2dfe556ab47040b654284bdb9cf9ff2e0e41a13b866

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

129s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Help.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2796 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Help.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8425446f8,0x7ff842544708,0x7ff842544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17745137600096116823,8730088093189930836,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 /prefetch:2

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 279e783b0129b64a8529800a88fbf1ee
SHA1 204c62ec8cef8467e5729cad52adae293178744f
SHA256 3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA512 32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

\??\pipe\LOCAL\crashpad_2796_VMBXQPMJFCLHYBUW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cbec32729772aa6c576e97df4fef48f5
SHA1 6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256 d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512 425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f27283ec7187cf8d795a1c1ec19ac2de
SHA1 bda316b6884943a3bbbb55035b1dfa25a08fa346
SHA256 d99765f447dede5115e993d1ae5e039158008ee5c311de2bb7c05f3a99448fad
SHA512 4a4326812a69258d5f245231f815664e2deeea2b571fba3777221e3d268ea4892266beef75ac8a7dcaf25d9ef94f46e23062d949460a1b903b018cd52dc031ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3aade9f9f6acf9346b43d3d27f52ebb6
SHA1 f9c0b980db5d390d575ac5b415572a8dedda2d2f
SHA256 d9895e36e10595cf9e5932cae0fce0f15190b2ecc1aa0faae67c2b219220cdf0
SHA512 14e9107c7806843e641342e6eb652f955f9bfc4e8db3d3b931815fe2a38267dfb99eaa07a7e2a04ba062854e54d93aa32bf1154a0543a6a8e52a9a766c3f873f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fdb36c64017b4453936bd87f8a58bcc4
SHA1 11e78206b9b341981e24f9a7d5ebc2f640cf7f6d
SHA256 2f2ffb27dd48efe1b7c6c5ecc3deab1c666db7e71680204adda1b14f0557f60a
SHA512 ea2e3eef44768139baa9cca86fca29f81b9e65ed91e8473728f28e2e4f0fa2131e7876181fdb9152464c06f7c5f0819ef4fd5b3816056bb8fd9dbda9f1dd48b6

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-06 22:05

Reported

2024-04-06 22:08

Platform

win10v2004-20240319-en

Max time kernel

141s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\AppPlus.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4640 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4640 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\AppPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Bins\AppPlus.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2244,i,861925222566734100,5228329984880658054,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 13.87.96.169:443 tcp
US 13.107.246.64:443 tcp
GB 13.87.96.169:443 tcp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A