Analysis Overview
SHA256
36026ae67867a75d0a02b8f7d4d72f6b52790ef55d8eee8a326af1de95802896
Threat Level: Shows suspicious behavior
The file 201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 09:01
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240221-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '725350' m 'FRG_Website' t '0' l 'Default'"
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPR
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
R
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.freeridegames.com | udp |
| US | 104.19.182.100:80 | www.freeridegames.com | tcp |
| US | 8.8.8.8:53 | img.exent.com | udp |
| US | 104.16.149.233:80 | img.exent.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso118F.tmp\System.dll
| MD5 | a436db0c473a087eb61ff5c53c34ba27 |
| SHA1 | 65ea67e424e75f5065132b539c8b2eda88aa0506 |
| SHA256 | 75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49 |
| SHA512 | 908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d |
\Users\Admin\AppData\Local\Temp\SDM143\Splasher.dll
| MD5 | 41d94c8eb8cb17e04f8ec6e14132f9ca |
| SHA1 | add92b031eb36b26335763780df88bca58636ed7 |
| SHA256 | 2e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96 |
| SHA512 | 0561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7 |
\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
| MD5 | 2db35d715864b8846f21dc95756171e0 |
| SHA1 | ed9030449256bd21e4f041961fb27bbbeddd7fff |
| SHA256 | 854bb62475a4b700a7ec49651610d050f1651491d0148c4bd4928b18bdc0436b |
| SHA512 | 65b62a0450a60f736af6ac42d6bec252160feac0681cc6319cbd32e76d631a4ea6d206dd62cee5cc00dd22e3de8dbf042024caa22d4288f8b932276f7b93898f |
memory/2432-45-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2612-44-0x0000000003750000-0x00000000038B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll
| MD5 | 5cf0fba9e8775382233c8e63e52c838a |
| SHA1 | b2a092f71eff0f6916652d7f3bfde9204eda5636 |
| SHA256 | 7d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5 |
| SHA512 | 73489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25 |
memory/2432-48-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2432-52-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
| MD5 | 51d301714c7361192d6305f6c46d90d1 |
| SHA1 | f546aac6dfab1187228df393e0db2c21e4fee1d0 |
| SHA256 | c9245047b86f8359a7f313434b85af481008e8cdf9579fd55aff8b8fbfb5ebcb |
| SHA512 | 9b6149c9c099f9cea3d574723d9ff6678d4f91ae7408349738a999d4986ce3cb7b4886f2972f6f1d3b27f7f7453a764f05c50d383f7054234b4ae55437d369b6 |
memory/2488-64-0x00000000003F0000-0x00000000003F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | 4174cb800274e3c271f7e53ae1b9ae35 |
| SHA1 | 6ac0ca77eef3b68c8db3349f1ceb0c8083450642 |
| SHA256 | d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e |
| SHA512 | c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd |
memory/2856-74-0x0000000000280000-0x0000000000282000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | ff39c9539bceb07d5abefaf4a93386ad |
| SHA1 | 7576a04c03feb0c88c58834c2e54a0dd3ab8fdcb |
| SHA256 | a9b5dc1274a146ce141b409dea5a84e4a44c59d7cadd367859335d4d52deaef1 |
| SHA512 | c3508558c7da4107aa82c56af4e47e2b57282e502e7bde15155caa37c57e5ca0402f13fb31dc09ca2ae75cf346adccd3f534b87677f056bb70abeba32052d254 |
memory/1772-85-0x00000000002C0000-0x00000000002C2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | 84db210b8748ae2489d2b0050ed213b1 |
| SHA1 | 4acf88ebf1c95041bcab6ade53d862ab9dbbb8f7 |
| SHA256 | 94e7db7f6587dfa286423740aad31445abdbaf55de052ba496bd0d681d6b5dcf |
| SHA512 | e0d1ab83687eab8910691783e287f9a0cb5cff50b6113f6b068142e752483906c9e1567ac8481e3bdc47a49ebb30e48bc7d364e80444b80d4611ee2c0b069d16 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9BRTA3ZL.txt
| MD5 | 06b24c53d2a4013ebb004cf284e474ff |
| SHA1 | d84fdc8a4c2b05579e7f68831dae2513c7629c99 |
| SHA256 | 29b9cee2bba2cb6be8a257d6b5aa16a9a53eadd80172f69159829168a60a2e5e |
| SHA512 | 3fe25c065aeba5baee74663e1cdf13b621b7aa78c698416c25451378cc0bd54ec80504e7d2b80b9776a6c1d52b5a88feeb388bc5197bf77c94d2f50dfa7a6621 |
memory/2484-96-0x00000000001D0000-0x00000000001D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | 809471c87c07c10440f37c1d9dd2bbb5 |
| SHA1 | 1a7ed896e012d2b536a241189f1e63960a1ce3da |
| SHA256 | 5f222bf9acdcabb89a91c695dedc626edcfb7938362c5c4dfbd0eac9950f3024 |
| SHA512 | ac6f608124bac8660a1b4b7fb9a6f7d08a122790d5ae4fa4abbae47fb74dcec5ce211c046567ecbd3f4ded18ee98a74426f06b58a1c9d3b64b4550ab05ff7c9e |
memory/2432-152-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-153-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2612-154-0x0000000003750000-0x00000000038B4000-memory.dmp
memory/2432-155-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-156-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-158-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-160-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-162-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-164-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-166-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-168-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-170-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-172-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-174-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-176-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-178-0x0000000000400000-0x0000000000564000-memory.dmp
memory/2432-180-0x0000000000400000-0x0000000000564000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
140s
Max time network
113s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache | C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\201df4e8a9f4ed1210d9f6e969e7d0d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '725350' m 'FRG_Website' t '0' l 'Default'"
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UHR
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HR
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
R
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPR
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
R
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
ER
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
R
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UHW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
EW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UHW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
EW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UHW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" HW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
UPW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
EW
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
W
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.freeridegames.com | udp |
| US | 104.19.183.100:80 | www.freeridegames.com | tcp |
| US | 8.8.8.8:53 | 100.183.19.104.in-addr.arpa | udp |
| GB | 23.73.138.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd349E.tmp\System.dll
| MD5 | a436db0c473a087eb61ff5c53c34ba27 |
| SHA1 | 65ea67e424e75f5065132b539c8b2eda88aa0506 |
| SHA256 | 75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49 |
| SHA512 | 908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d |
C:\Users\Admin\AppData\Local\Temp\SDM143\Splasher.dll
| MD5 | 41d94c8eb8cb17e04f8ec6e14132f9ca |
| SHA1 | add92b031eb36b26335763780df88bca58636ed7 |
| SHA256 | 2e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96 |
| SHA512 | 0561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7 |
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
| MD5 | 2db35d715864b8846f21dc95756171e0 |
| SHA1 | ed9030449256bd21e4f041961fb27bbbeddd7fff |
| SHA256 | 854bb62475a4b700a7ec49651610d050f1651491d0148c4bd4928b18bdc0436b |
| SHA512 | 65b62a0450a60f736af6ac42d6bec252160feac0681cc6319cbd32e76d631a4ea6d206dd62cee5cc00dd22e3de8dbf042024caa22d4288f8b932276f7b93898f |
memory/412-43-0x0000000000400000-0x0000000000564000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll
| MD5 | 5cf0fba9e8775382233c8e63e52c838a |
| SHA1 | b2a092f71eff0f6916652d7f3bfde9204eda5636 |
| SHA256 | 7d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5 |
| SHA512 | 73489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25 |
memory/412-47-0x0000000010000000-0x000000001009F000-memory.dmp
memory/412-50-0x0000000010000000-0x000000001009F000-memory.dmp
memory/412-52-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe
| MD5 | 51d301714c7361192d6305f6c46d90d1 |
| SHA1 | f546aac6dfab1187228df393e0db2c21e4fee1d0 |
| SHA256 | c9245047b86f8359a7f313434b85af481008e8cdf9579fd55aff8b8fbfb5ebcb |
| SHA512 | 9b6149c9c099f9cea3d574723d9ff6678d4f91ae7408349738a999d4986ce3cb7b4886f2972f6f1d3b27f7f7453a764f05c50d383f7054234b4ae55437d369b6 |
memory/4600-62-0x00000000008A0000-0x00000000008DA000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat
| MD5 | 4174cb800274e3c271f7e53ae1b9ae35 |
| SHA1 | 6ac0ca77eef3b68c8db3349f1ceb0c8083450642 |
| SHA256 | d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e |
| SHA512 | c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd |
memory/3852-73-0x0000000000D70000-0x0000000000DAA000-memory.dmp
memory/3948-86-0x00000000004B0000-0x00000000004EA000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat
| MD5 | 965f41c6fefade8f58ac045908fc16c3 |
| SHA1 | ff476c184a653b9d774087131231ed1f9c915450 |
| SHA256 | 2753fc1956b8c85ba9398ed738b0f703cb02578ad3b04ef3f0fe9fd0461f77cd |
| SHA512 | 5de287633907934c142ac982dd1e000a3c7a3f62c9e08b405023e9dd9b62e032819703a9337a838589947da67e9deb2fe58d29828aa42f05557994b44b8326b8 |
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | 0c45fa8b2ade0350fb4b365d0f3bd0c5 |
| SHA1 | 40c21f3e32cf6a5d34fe28ee80cab82cc4d18f83 |
| SHA256 | 04ab457337fb730f1020e7f98fd4ec700ca8a352e8d93ac1f136136361f1f4cd |
| SHA512 | a451cf97311404234294ee81c5852a583c8a353b47c1adeb1f449abfe6cbb5c36c21d2242ab67851f614064e811542dabd2aa7e085b05bee97fd59dc1958e35d |
memory/2972-97-0x00000000002D0000-0x000000000030A000-memory.dmp
memory/2156-110-0x0000000000890000-0x00000000008CA000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat
| MD5 | eea4457f0b44ae8a1b59a9e48289b303 |
| SHA1 | b1bc54122872c9f3fca44b9e0359c45567f5d341 |
| SHA256 | e4eee505da10a57bcac03f202171ce83d9f06a5b959a6de87592a7ffb6b91b45 |
| SHA512 | 96eec95c7b06245d44fd2509ee7f6a1d6a3c228f8248d449266a99ff05c201c9b8bbb971785dbdd7409be09ae86780a58147ccd06356d64d57677e2722150967 |
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | 8ac860802471226f56ec78bd74859e10 |
| SHA1 | 9a5c7fd8bdb0747588a05b0a86a23e43d497eed5 |
| SHA256 | ed9c4a2c292e6cb6800b44404eced2a9e60544679311189a01690a71241d75c4 |
| SHA512 | 05c353cbf54b62eefb2d54425867f6f4b25f192366f0b7c2bb0ac931103592e8af170c457d7e55412daf1df5826f64f7d4e58d7fdab3e1a4ed4fa57ba2a92bf3 |
memory/2068-121-0x0000000000530000-0x000000000056A000-memory.dmp
memory/4784-134-0x0000000000AE0000-0x0000000000B1A000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ietemp1.dat
| MD5 | 93c3979e09909142e87bae30948b404a |
| SHA1 | 9bc51c81ec4e429a052e0b4fb89944b5e016d535 |
| SHA256 | f44147c2181701048dc6cc48e4301ac66c2ebdf9d2818af00611730852c6a0f4 |
| SHA512 | 2d57b627edeb7774a2ee9154a526c5afe1126caa244cc8d77ac0c5d7af8ac835e6a1232a0e3c2388bff6648b586af0f59e94c384aec38e0e74070f7d43e5c2f6 |
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.dat
| MD5 | ffcbdf4bab636fe4ece02305c0580d5c |
| SHA1 | 1aab2b8fa7592e885a4444f836e1baa98150efc2 |
| SHA256 | d7b89218e7423b7227601b5afef3a325cf3b8250b540e6e5aa07b8ee3536e064 |
| SHA512 | 40eabf20f3fe87c8733a55ffd011468260b0b869b1058ba979c7593ad94622c46ee1b5e2112c4bdfd19d3f8fbf23fa5f962cb0d42f71bd1ceebab87ce749baa0 |
memory/2004-147-0x0000000000040000-0x000000000007A000-memory.dmp
memory/412-189-0x0000000000400000-0x0000000000564000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4420 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4420 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4420 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| GB | 23.73.138.80:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 80.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4884-0-0x00000000749B0000-0x00000000749B9000-memory.dmp
memory/4884-2-0x00000000749B0000-0x00000000749B9000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240220-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 224
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
135s
Max time network
103s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 2064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1280 wrote to memory of 2064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Splasher.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Splasher.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| GB | 23.73.138.25:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 25.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240221-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 220
Network
Files
memory/2356-2-0x0000000074BE0000-0x0000000074BE9000-memory.dmp
memory/2356-1-0x0000000074BF0000-0x0000000074BF9000-memory.dmp
memory/2356-0-0x0000000074C00000-0x0000000074C09000-memory.dmp
memory/2356-5-0x0000000074C00000-0x0000000074C09000-memory.dmp
memory/2356-6-0x0000000074BE0000-0x0000000074BE9000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
133s
Max time network
102s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 3520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2404 wrote to memory of 3520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2404 wrote to memory of 3520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3520 -ip 3520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| GB | 23.73.138.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240419-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\ExentCtlInstaller.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\ExentCtlInstaller.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 232
Network
Files
memory/1636-0-0x0000000010000000-0x0000000010063000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
131s
Max time network
100s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 3188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 3188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2104 wrote to memory of 3188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3188 -ip 3188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| GB | 23.73.138.25:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
135s
Max time network
104s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2952 wrote to memory of 2268 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2952 wrote to memory of 2268 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2952 wrote to memory of 2268 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\ExentCtlInstaller.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\ExentCtlInstaller.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| GB | 23.73.138.83:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2268-0-0x0000000010000000-0x0000000010063000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe"
Network
Files
memory/912-0-0x0000000000400000-0x0000000000564000-memory.dmp
memory/912-2-0x0000000000400000-0x0000000000564000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
143s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Free Ride Games.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/1504-0-0x0000000000400000-0x0000000000564000-memory.dmp
memory/1504-2-0x0000000000400000-0x0000000000564000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Splasher.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\Splasher.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\cmhelper.exe"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
132s
Max time network
101s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\cmhelper.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\cmhelper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| GB | 23.73.138.33:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3028 wrote to memory of 1692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\resourceDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\resourceDll.dll,#1
Network
Files
memory/1692-1-0x0000000010000000-0x000000001009F000-memory.dmp
memory/1692-0-0x0000000010000000-0x000000001009F000-memory.dmp
memory/1692-2-0x0000000010000000-0x000000001009F000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-07 09:01
Reported
2024-05-07 09:04
Platform
win10v2004-20240419-en
Max time kernel
136s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\resourceDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\SDM143\resourceDll.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| GB | 23.73.138.80:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 80.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/512-0-0x0000000010000000-0x000000001009F000-memory.dmp