Malware Analysis Report

2025-01-02 07:35

Sample ID 240510-fmrb8acd5z
Target FabFilter_Total_Bundle_v2023.02.06.zip
SHA256 9b1c965430289c82edff635e1b7650abddf9753e6ebe5e66f13770a766375f2e
Tags
discovery privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b1c965430289c82edff635e1b7650abddf9753e6ebe5e66f13770a766375f2e

Threat Level: Known bad

The file FabFilter_Total_Bundle_v2023.02.06.zip was found to be: Known bad.

Malicious Activity Summary

discovery privateloader loader

PrivateLoader

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:06

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:06

Platform

win7-20240221-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

Network

N/A

Files

memory/2860-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2860-2-0x0000000000220000-0x000000000023F000-memory.dmp

memory/2860-1-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-4-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-5-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-6-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-7-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-8-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-9-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-10-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-11-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-12-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-13-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-14-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-15-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-16-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-17-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2860-18-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:06

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:06

Platform

win7-20240215-en

Max time kernel

140s

Max time network

128s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$TEMP\bgm.it"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$TEMP\bgm.it"

Network

N/A

Files

memory/2956-5-0x000000013FF50000-0x0000000140048000-memory.dmp

memory/2956-6-0x000007FEF7DD0000-0x000007FEF7E04000-memory.dmp

memory/2956-12-0x000007FEF7B30000-0x000007FEF7B41000-memory.dmp

memory/2956-14-0x000007FEF6F60000-0x000007FEF6F71000-memory.dmp

memory/2956-13-0x000007FEF7B10000-0x000007FEF7B2D000-memory.dmp

memory/2956-7-0x000007FEF63E0000-0x000007FEF6694000-memory.dmp

memory/2956-11-0x000007FEF7BC0000-0x000007FEF7BD7000-memory.dmp

memory/2956-10-0x000007FEF7DB0000-0x000007FEF7DC1000-memory.dmp

memory/2956-9-0x000007FEFAD00000-0x000007FEFAD17000-memory.dmp

memory/2956-15-0x000007FEF61E0000-0x000007FEF63E0000-memory.dmp

memory/2956-16-0x000007FEF6F20000-0x000007FEF6F5F000-memory.dmp

memory/2956-8-0x000007FEFBC20000-0x000007FEFBC38000-memory.dmp

memory/2956-29-0x000007FEF5030000-0x000007FEF5041000-memory.dmp

memory/2956-48-0x000007FEF4000000-0x000007FEF4016000-memory.dmp

memory/2956-17-0x000007FEF5130000-0x000007FEF61DB000-memory.dmp

memory/2956-47-0x000007FEF4020000-0x000007FEF4031000-memory.dmp

memory/2956-46-0x000007FEF4040000-0x000007FEF4051000-memory.dmp

memory/2956-45-0x000007FEF4060000-0x000007FEF4071000-memory.dmp

memory/2956-44-0x000007FEF4080000-0x000007FEF4094000-memory.dmp

memory/2956-43-0x000007FEF40A0000-0x000007FEF40B3000-memory.dmp

memory/2956-42-0x000007FEF40C0000-0x000007FEF423A000-memory.dmp

memory/2956-41-0x000007FEF4240000-0x000007FEF4252000-memory.dmp

memory/2956-40-0x000007FEF4260000-0x000007FEF4272000-memory.dmp

memory/2956-39-0x000007FEF4280000-0x000007FEF4291000-memory.dmp

memory/2956-38-0x000007FEF4320000-0x000007FEF434F000-memory.dmp

memory/2956-37-0x000007FEFAD50000-0x000007FEFAD60000-memory.dmp

memory/2956-36-0x000007FEF4EE0000-0x000007FEF4EF2000-memory.dmp

memory/2956-35-0x000007FEF4F00000-0x000007FEF4F11000-memory.dmp

memory/2956-34-0x000007FEF4F20000-0x000007FEF4F43000-memory.dmp

memory/2956-33-0x000007FEF4F50000-0x000007FEF4F67000-memory.dmp

memory/2956-32-0x000007FEF4F70000-0x000007FEF4F94000-memory.dmp

memory/2956-31-0x000007FEF4FA0000-0x000007FEF4FC8000-memory.dmp

memory/2956-30-0x000007FEF4FD0000-0x000007FEF5026000-memory.dmp

memory/2956-28-0x000007FEF5050000-0x000007FEF50BF000-memory.dmp

memory/2956-27-0x000007FEF50C0000-0x000007FEF5127000-memory.dmp

memory/2956-26-0x000007FEF6A10000-0x000007FEF6A40000-memory.dmp

memory/2956-25-0x000007FEF6A40000-0x000007FEF6A58000-memory.dmp

memory/2956-24-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp

memory/2956-23-0x000007FEF6A80000-0x000007FEF6A9B000-memory.dmp

memory/2956-22-0x000007FEF6AA0000-0x000007FEF6AB1000-memory.dmp

memory/2956-21-0x000007FEF6AC0000-0x000007FEF6AD1000-memory.dmp

memory/2956-20-0x000007FEF6AE0000-0x000007FEF6AF1000-memory.dmp

memory/2956-19-0x000007FEF6B00000-0x000007FEF6B18000-memory.dmp

memory/2956-18-0x000007FEF6EF0000-0x000007FEF6F11000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win7-20240220-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FabFilter\Simplon\is-2RULN.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-6H3D0.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-G.aaxplugin\Contents\Resources\is-81C1U.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-MB.aaxplugin\Contents\x64\is-87307.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Volcano 3.aaxplugin\Contents\Resources\is-9FISG.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-P33AN.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-DS.aaxplugin\Contents\x64\is-V7S82.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-L 2.aaxplugin\Contents\Resources\is-VGGI5.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-R\FabFilter Pro-R.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-G\FabFilter Pro-G.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Saturn 2\is-BCJSA.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-GHBRU.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Micro\is-TFULK.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-G.aaxplugin\Contents\x64\is-OQIIJ.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-R.aaxplugin\Contents\Resources\is-KM7T0.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Micro\FabFilter Micro.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-Q 3\is-SIVTR.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-C 2.aaxplugin\Contents\x64\is-896IA.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-Q 3.aaxplugin\Contents\Resources\is-G9P97.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-KODDU.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Twin 3\FabFilter Twin 3.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\One\is-GC5VS.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\One\is-9IUKB.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-L 2\is-L4VBO.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Timeless 3\is-JIBFN.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-L 2\is-A5EUI.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-R\is-3CIOH.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-1CJSA.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter One.aaxplugin\Contents\x64\is-Q54LD.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Timeless 3\FabFilter Timeless 3.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Micro\is-VP4RK.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Saturn 2\is-HTDUG.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-B4KEE.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-C 2.aaxplugin\Contents\Resources\is-DUM9M.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-R\is-J0GFD.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Timeless 3\is-O5NMG.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-L 2.aaxplugin\Contents\x64\is-CA1D5.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\One\FabFilter One.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\One\FabFilter One.dll C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\is-ES11G.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-C 2\is-0JLGQ.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-MB\is-1DCMG.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-MB.aaxplugin\Contents\Resources\is-HA46F.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-Q 3.aaxplugin\Contents\x64\is-D0TVF.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Volcano 3.aaxplugin\Contents\x64\is-BMRFN.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Volcano 3\is-MAM2I.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\One\is-M5Q8A.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-QKPQV.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-Q 3\FabFilter Pro-Q 3.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-DS\FabFilter Pro-DS.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-DS\is-P0PKN.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-G\is-MAEQ6.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-Q 3\is-D09N6.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-L 2\FabFilter Pro-L 2.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-G\is-0AT5O.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-JNIJE.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-C7J0F.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Saturn 2.aaxplugin\Contents\x64\is-HGLDN.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-MB\FabFilter Pro-MB.chm C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-C 2\is-D20MS.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-OMD7E.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Timeless 3.aaxplugin\Contents\x64\is-PVLI8.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Twin 3.aaxplugin\Contents\x64\is-GM5B4.tmp C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
PID 2964 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"

C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp" /SL5="$30142,235174849,121344,C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"

Network

N/A

Files

memory/2964-2-0x0000000000401000-0x0000000000412000-memory.dmp

memory/2964-0-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J3VVD.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp

MD5 34acc2bdb45a9c436181426828c4cb49
SHA1 5adaa1ac822e6128b8d4b59a54d19901880452ae
SHA256 9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512 134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

\Users\Admin\AppData\Local\Temp\is-5K06A.tmp\ISSKINU.DLL

MD5 f30afccd6fafc1cad4567ada824c9358
SHA1 60a65b72f208563f90fba0da6af013a36707caa9
SHA256 e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d
SHA512 59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

\Users\Admin\AppData\Local\Temp\is-5K06A.tmp\R2RINNO.dll

MD5 5df8ada84a16f5dfc24096ef90a5ce3a
SHA1 5e7e9c68119c3a0a1afc92c60674bc8714492823
SHA256 48a9c8c332fde541b571d9d522d0e37834b452f55af8cbdc341b12222e78fb5b
SHA512 661b5219c74dd6e3a8e899a1b1a3002689d148e337d7323a174519366c9548c284ee76e2faa2f9600cd483db21093ee62399f0d7403c39523c654266760191c2

memory/2172-16-0x0000000010000000-0x0000000010061000-memory.dmp

memory/2172-8-0x0000000000400000-0x000000000052E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-5K06A.tmp\SKIN.CJSTYLES

MD5 5f87caf3f7cf63dde8e6af53bdf31289
SHA1 a2c3cc3d9d831acd797155b667db59a32000d7a8
SHA256 4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940
SHA512 4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

memory/2172-24-0x00000000758F0000-0x0000000075947000-memory.dmp

memory/2172-23-0x00000000752C0000-0x000000007535D000-memory.dmp

memory/2172-22-0x0000000076E10000-0x0000000076EB0000-memory.dmp

memory/2172-21-0x0000000076BB0000-0x0000000076D0C000-memory.dmp

memory/2172-20-0x0000000074EC0000-0x0000000074F4F000-memory.dmp

memory/2172-27-0x00000000745F0000-0x000000007470F000-memory.dmp

memory/2172-37-0x0000000074B40000-0x0000000074B49000-memory.dmp

memory/2172-84-0x0000000010000000-0x0000000010061000-memory.dmp

memory/2172-81-0x00000000743A0000-0x0000000074495000-memory.dmp

memory/2172-80-0x00000000744A0000-0x00000000744D9000-memory.dmp

memory/2172-77-0x0000000075590000-0x0000000075613000-memory.dmp

memory/2172-75-0x00000000758F0000-0x0000000075947000-memory.dmp

memory/2172-73-0x0000000074800000-0x0000000074812000-memory.dmp

memory/2172-72-0x0000000074B40000-0x0000000074B49000-memory.dmp

memory/2172-71-0x0000000076E10000-0x0000000076EB0000-memory.dmp

memory/2172-70-0x0000000010000000-0x0000000010061000-memory.dmp

memory/2172-69-0x0000000076DE0000-0x0000000076E07000-memory.dmp

memory/2172-66-0x00000000744A0000-0x00000000744D9000-memory.dmp

memory/2172-65-0x0000000074520000-0x0000000074552000-memory.dmp

memory/2172-83-0x0000000074310000-0x0000000074346000-memory.dmp

memory/2172-82-0x0000000076A10000-0x0000000076BAD000-memory.dmp

memory/2172-79-0x0000000074520000-0x0000000074552000-memory.dmp

memory/2172-78-0x0000000074560000-0x00000000745EC000-memory.dmp

memory/2172-74-0x00000000748F0000-0x0000000074A8E000-memory.dmp

memory/2172-68-0x0000000076A10000-0x0000000076BAD000-memory.dmp

memory/2172-67-0x00000000743A0000-0x0000000074495000-memory.dmp

memory/2172-64-0x0000000074560000-0x00000000745EC000-memory.dmp

memory/2172-63-0x0000000075590000-0x0000000075613000-memory.dmp

memory/2172-62-0x0000000074B50000-0x0000000074B63000-memory.dmp

memory/2172-60-0x0000000074E40000-0x0000000074EBB000-memory.dmp

memory/2172-59-0x00000000758F0000-0x0000000075947000-memory.dmp

memory/2172-58-0x00000000748F0000-0x0000000074A8E000-memory.dmp

memory/2172-57-0x0000000074800000-0x0000000074812000-memory.dmp

memory/2172-56-0x00000000752C0000-0x000000007535D000-memory.dmp

memory/2172-55-0x0000000076E10000-0x0000000076EB0000-memory.dmp

memory/2172-54-0x0000000074EC0000-0x0000000074F4F000-memory.dmp

memory/2172-53-0x0000000010000000-0x0000000010061000-memory.dmp

memory/2172-52-0x0000000074310000-0x0000000074346000-memory.dmp

memory/2172-51-0x0000000076A10000-0x0000000076BAD000-memory.dmp

memory/2172-50-0x00000000743A0000-0x0000000074495000-memory.dmp

memory/2172-49-0x00000000744A0000-0x00000000744D9000-memory.dmp

memory/2172-34-0x0000000074EC0000-0x0000000074F4F000-memory.dmp

memory/2172-48-0x0000000074520000-0x0000000074552000-memory.dmp

memory/2172-47-0x00000000745F0000-0x000000007470F000-memory.dmp

memory/2172-46-0x0000000074760000-0x0000000074777000-memory.dmp

memory/2172-45-0x0000000074780000-0x00000000747B8000-memory.dmp

memory/2172-44-0x0000000075590000-0x0000000075613000-memory.dmp

memory/2172-33-0x0000000010000000-0x0000000010061000-memory.dmp

memory/2172-41-0x0000000074E40000-0x0000000074EBB000-memory.dmp

memory/2172-40-0x00000000759F0000-0x000000007663A000-memory.dmp

memory/2172-32-0x0000000076A10000-0x0000000076BAD000-memory.dmp

memory/2172-38-0x00000000748F0000-0x0000000074A8E000-memory.dmp

memory/2172-39-0x00000000758F0000-0x0000000075947000-memory.dmp

memory/2172-36-0x0000000076E10000-0x0000000076EB0000-memory.dmp

memory/2172-35-0x0000000076BB0000-0x0000000076D0C000-memory.dmp

memory/2172-25-0x00000000759F0000-0x000000007663A000-memory.dmp

memory/2172-31-0x00000000743A0000-0x0000000074495000-memory.dmp

memory/2172-30-0x0000000074520000-0x0000000074552000-memory.dmp

memory/2172-29-0x00000000769B0000-0x00000000769DA000-memory.dmp

memory/2172-28-0x0000000074560000-0x00000000745EC000-memory.dmp

memory/2172-26-0x0000000074780000-0x00000000747B8000-memory.dmp

memory/2172-279-0x0000000000400000-0x000000000052E000-memory.dmp

\Program Files (x86)\FabFilter\unins000.exe

MD5 52f893b384a2459dda518facd4540885
SHA1 7906eb5babacade5d3b18bd13fa1012bee0852b3
SHA256 9eed65b45b3e73d05aafd30d420f4bd29f344a043818c1a38cc84a83959ccbde
SHA512 f45d47ab39be2ae083dfa0edde9abd615da566643c5c1c94f66c98de085cd6b7281e17f775941063d35b627c9396e7e206e8041f271dbbf0a240d985791bce4c

memory/2172-704-0x0000000000400000-0x000000000052E000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\FabFilter\Pro-DS\FabFilter Pro-DS.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Saturn 2\FabFilter Saturn 2.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-Q 3\is-NEHKS.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-R\is-ER584.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Volcano 3\is-SQQGF.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-LCMJG.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-C 2.aaxplugin\Contents\Resources\is-2N16B.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-R\FabFilter Pro-R.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\is-U4088.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-G.aaxplugin\Contents\x64\is-OALNC.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Saturn 2.aaxplugin\Contents\x64\is-TPDKJ.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\One\is-VMLJG.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-O7RMO.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Timeless 3\is-ODEGP.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-G.aaxplugin\Contents\Resources\is-9IAL8.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Saturn 2.aaxplugin\Contents\Resources\is-509T6.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Twin 3.aaxplugin\Contents\Resources\is-OMKUH.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-L 2\FabFilter Pro-L 2.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Volcano 3\FabFilter Volcano 3.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-MB\is-JVKUF.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Saturn 2\is-ELBPV.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Timeless 3\is-6C4S1.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\One\is-BNH8J.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-ECBNE.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter One.aaxplugin\Contents\x64\is-UHO2F.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-C 2.aaxplugin\Contents\x64\is-34M9R.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-Q 3.aaxplugin\Contents\x64\is-BT525.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\is-B8IQ0.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-DS\is-3G0OK.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-6JTB2.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Micro.aaxplugin\Contents\x64\is-PTQ2B.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-Q 3.aaxplugin\Contents\Resources\is-RFPL9.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\One\FabFilter One.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Simplon\FabFilter Simplon.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-C 2\FabFilter Pro-C 2.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Micro\is-0VOGN.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-MB\is-PE9N0.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-90V3H.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-BJTPP.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-R.aaxplugin\Contents\Resources\is-18D9P.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Timeless 3.aaxplugin\Contents\Resources\is-C8G6S.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Twin 3.aaxplugin\Contents\x64\is-BF6LL.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-Q 3\is-IE1QH.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Twin 3\is-6PHTH.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-M078V.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-3S8HG.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-R.aaxplugin\Contents\x64\is-6QAK5.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-G\FabFilter Pro-G.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-LKSQ2.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-L 2.aaxplugin\Contents\x64\is-4A2PG.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Simplon.aaxplugin\Contents\x64\is-OHCSU.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Volcano 3.aaxplugin\Contents\Resources\is-KUR5F.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Volcano 3.aaxplugin\Contents\x64\is-QPL1Q.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Pro-Q 3\FabFilter Pro-Q 3.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Timeless 3\FabFilter Timeless 3.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\Twin 3\FabFilter Twin 3.chm C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\One\FabFilter One.exe C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files (x86)\FabFilter\Pro-G\is-G7E68.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-28J05.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\VST3\FabFilter\is-AD016.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\FabFilter\FabFilter Pro-DS.aaxplugin\Contents\Resources\is-R1DCK.tmp C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A
File opened for modification C:\Program Files (x86)\FabFilter\One\FabFilter One.dll C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"

C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp" /SL5="$9011E,235174849,121344,C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/5012-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N4F0G.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp

MD5 34acc2bdb45a9c436181426828c4cb49
SHA1 5adaa1ac822e6128b8d4b59a54d19901880452ae
SHA256 9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512 134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

memory/5012-1-0x0000000000400000-0x0000000000428000-memory.dmp

memory/716-6-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LICLC.tmp\ISSKINU.DLL

MD5 f30afccd6fafc1cad4567ada824c9358
SHA1 60a65b72f208563f90fba0da6af013a36707caa9
SHA256 e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d
SHA512 59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

memory/716-14-0x0000000010000000-0x0000000010061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LICLC.tmp\R2RINNO.dll

MD5 5df8ada84a16f5dfc24096ef90a5ce3a
SHA1 5e7e9c68119c3a0a1afc92c60674bc8714492823
SHA256 48a9c8c332fde541b571d9d522d0e37834b452f55af8cbdc341b12222e78fb5b
SHA512 661b5219c74dd6e3a8e899a1b1a3002689d148e337d7323a174519366c9548c284ee76e2faa2f9600cd483db21093ee62399f0d7403c39523c654266760191c2

C:\Users\Admin\AppData\Local\Temp\is-LICLC.tmp\SKIN.CJSTYLES

MD5 5f87caf3f7cf63dde8e6af53bdf31289
SHA1 a2c3cc3d9d831acd797155b667db59a32000d7a8
SHA256 4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940
SHA512 4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

memory/716-21-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-36-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-37-0x0000000075F80000-0x0000000076063000-memory.dmp

memory/716-35-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-63-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-44-0x0000000075F80000-0x0000000076063000-memory.dmp

memory/716-61-0x0000000075A60000-0x0000000075AD4000-memory.dmp

memory/716-80-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-79-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-76-0x0000000074C10000-0x0000000074D32000-memory.dmp

memory/716-75-0x0000000075A60000-0x0000000075AD4000-memory.dmp

memory/716-74-0x0000000077BA0000-0x0000000077C4F000-memory.dmp

memory/716-73-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-71-0x0000000075F80000-0x0000000076063000-memory.dmp

memory/716-70-0x0000000075E40000-0x0000000075F1C000-memory.dmp

memory/716-69-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-64-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-66-0x0000000077BA0000-0x0000000077C4F000-memory.dmp

memory/716-60-0x0000000076370000-0x0000000076395000-memory.dmp

memory/716-59-0x0000000077BA0000-0x0000000077C4F000-memory.dmp

memory/716-58-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-57-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-50-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-78-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-72-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-77-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-68-0x0000000074C10000-0x0000000074D32000-memory.dmp

memory/716-67-0x0000000075A60000-0x0000000075AD4000-memory.dmp

memory/716-65-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-62-0x0000000074C10000-0x0000000074D32000-memory.dmp

memory/716-43-0x0000000075E40000-0x0000000075F1C000-memory.dmp

memory/716-42-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-41-0x0000000074C10000-0x0000000074D32000-memory.dmp

memory/716-56-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-55-0x0000000074C10000-0x0000000074D32000-memory.dmp

memory/716-54-0x0000000075A60000-0x0000000075AD4000-memory.dmp

memory/716-53-0x0000000077BA0000-0x0000000077C4F000-memory.dmp

memory/716-52-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-51-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-49-0x0000000074C10000-0x0000000074D32000-memory.dmp

memory/716-48-0x0000000075A60000-0x0000000075AD4000-memory.dmp

memory/716-47-0x0000000077BA0000-0x0000000077C4F000-memory.dmp

memory/716-46-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-45-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-40-0x0000000077BA0000-0x0000000077C4F000-memory.dmp

memory/716-39-0x0000000075AE0000-0x0000000075CF0000-memory.dmp

memory/716-38-0x0000000076DD0000-0x0000000077383000-memory.dmp

memory/716-34-0x0000000076370000-0x0000000076395000-memory.dmp

memory/716-33-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-31-0x0000000074DE0000-0x0000000074E10000-memory.dmp

memory/716-30-0x0000000076370000-0x0000000076395000-memory.dmp

memory/716-29-0x00000000768B0000-0x000000007692A000-memory.dmp

memory/716-26-0x00000000768B0000-0x000000007692A000-memory.dmp

memory/716-27-0x0000000076370000-0x0000000076395000-memory.dmp

memory/716-25-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-24-0x00000000768B0000-0x000000007692A000-memory.dmp

memory/716-22-0x00000000768B0000-0x000000007692A000-memory.dmp

memory/716-20-0x00000000768B0000-0x000000007692A000-memory.dmp

memory/716-32-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-28-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-23-0x0000000010000000-0x0000000010061000-memory.dmp

memory/716-160-0x0000000000400000-0x000000000052E000-memory.dmp

memory/716-471-0x0000000000400000-0x000000000052E000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\Instruction.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\Instruction.txt"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win7-20240220-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

C:\Users\Admin\AppData\Local\Temp\keygen.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\keygen.exe

MD5 d46b062d7f8ecf948d579ebe809cd597
SHA1 bba400b955bca8729bfdffb343d3b9f54cbb42f3
SHA256 9dca86bab19f5f0cd7c71ac4797921c93c03894f2378b8b3f4e97d742c9c2ea3
SHA512 2c93a1e061a9a77b5c4b5ba8e5f6b4809f225c28b9279cf341c54b8cb586834c7e1ca583df8d8ad4ce8458fcdee306b9f43043b5c2e3f9441f024b4591ce7d49

memory/2144-16-0x0000000010000000-0x0000000010013000-memory.dmp

\Users\Admin\AppData\Local\Temp\BASSMOD.dll

MD5 e4ec57e8508c5c4040383ebe6d367928
SHA1 b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA256 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA512 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

memory/2144-18-0x00000000002B0000-0x00000000002CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\R2RFBFKG.dll

MD5 62695f6fa2a85fc9993f57dfcbdc2749
SHA1 07a9b478df63fba4cf3002974b4cf56b404d0914
SHA256 1ab33027c4965b027298651781a1c780c272818da189e2c3a8101ac578069260
SHA512 69dd0de913629853400106811bffdebd8ec2037c93c9f9820d3f140e84576912de3ab57434086e20cf8698185015c27fa307e06047e2219dcf38a927a36f3c95

memory/2144-11-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bgm.it

MD5 5e3c083251880c635f5ea6a0a6ed8e76
SHA1 e7fb44133e223140057243493159bdce01c5f080
SHA256 9d460a48d7f7f461967c9065182456871606eef1c27f21767335b7d81384e141
SHA512 b4a6a5ad71a13f51989e1fccedb542ab528f6ab9bc3d60a4c93c59e544b8eaa06ca7b9fe79c1d9a5c92b61345c18e38736561cd21426bc9e43ae3a4c59424284

memory/2144-21-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2144-22-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2144-23-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2144-24-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2144-25-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2144-26-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2144-27-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

C:\Users\Admin\AppData\Local\Temp\keygen.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x294 0x404

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\keygen.exe

MD5 d46b062d7f8ecf948d579ebe809cd597
SHA1 bba400b955bca8729bfdffb343d3b9f54cbb42f3
SHA256 9dca86bab19f5f0cd7c71ac4797921c93c03894f2378b8b3f4e97d742c9c2ea3
SHA512 2c93a1e061a9a77b5c4b5ba8e5f6b4809f225c28b9279cf341c54b8cb586834c7e1ca583df8d8ad4ce8458fcdee306b9f43043b5c2e3f9441f024b4591ce7d49

memory/5040-7-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

MD5 e4ec57e8508c5c4040383ebe6d367928
SHA1 b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA256 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA512 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

C:\Users\Admin\AppData\Local\Temp\R2RFBFKG.dll

MD5 62695f6fa2a85fc9993f57dfcbdc2749
SHA1 07a9b478df63fba4cf3002974b4cf56b404d0914
SHA256 1ab33027c4965b027298651781a1c780c272818da189e2c3a8101ac578069260
SHA512 69dd0de913629853400106811bffdebd8ec2037c93c9f9820d3f140e84576912de3ab57434086e20cf8698185015c27fa307e06047e2219dcf38a927a36f3c95

memory/5040-15-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-13-0x00000000005A0000-0x00000000005BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bgm.it

MD5 5e3c083251880c635f5ea6a0a6ed8e76
SHA1 e7fb44133e223140057243493159bdce01c5f080
SHA256 9d460a48d7f7f461967c9065182456871606eef1c27f21767335b7d81384e141
SHA512 b4a6a5ad71a13f51989e1fccedb542ab528f6ab9bc3d60a4c93c59e544b8eaa06ca7b9fe79c1d9a5c92b61345c18e38736561cd21426bc9e43ae3a4c59424284

memory/5040-17-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-18-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-19-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-20-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-21-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-22-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-23-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-24-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-25-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-26-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-27-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-28-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-29-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-30-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5040-31-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

160s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\Instruction.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\Instruction.txt"

Network

Country Destination Domain Proto
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

161s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$TEMP\bgm.it"

Signatures

PrivateLoader

loader privateloader

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$TEMP\bgm.it"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2220 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x338 0x2f8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/2132-0-0x00007FF758A40000-0x00007FF758B38000-memory.dmp

memory/2132-1-0x00007FFC9E570000-0x00007FFC9E5A4000-memory.dmp

memory/2132-4-0x00007FFC9E8B0000-0x00007FFC9E8C7000-memory.dmp

memory/2132-9-0x00007FFC9E130000-0x00007FFC9E141000-memory.dmp

memory/2132-8-0x00007FFC9E150000-0x00007FFC9E16D000-memory.dmp

memory/2132-7-0x00007FFC9E410000-0x00007FFC9E421000-memory.dmp

memory/2132-6-0x00007FFC9E550000-0x00007FFC9E567000-memory.dmp

memory/2132-5-0x00007FFC9E780000-0x00007FFC9E791000-memory.dmp

memory/2132-2-0x00007FFC8D3C0000-0x00007FFC8D674000-memory.dmp

memory/2132-3-0x00007FFC9EA40000-0x00007FFC9EA58000-memory.dmp

memory/2132-10-0x00007FFC8C310000-0x00007FFC8D3BB000-memory.dmp

memory/2132-13-0x00007FFC8D3C0000-0x00007FFC8D674000-memory.dmp

memory/2132-21-0x00007FFC8C310000-0x00007FFC8D3BB000-memory.dmp

memory/2132-22-0x00007FFC8C110000-0x00007FFC8C310000-memory.dmp

memory/2132-24-0x00007FFC9E100000-0x00007FFC9E121000-memory.dmp

memory/2132-25-0x00007FFC9DF40000-0x00007FFC9DF58000-memory.dmp

memory/2132-23-0x00007FFC9DF60000-0x00007FFC9DF9F000-memory.dmp

memory/2132-28-0x00007FFC8D3C0000-0x00007FFC8D674000-memory.dmp

memory/2132-36-0x00007FFC8C310000-0x00007FFC8D3BB000-memory.dmp

memory/2132-48-0x00007FFC8D3C0000-0x00007FFC8D674000-memory.dmp

memory/2132-56-0x00007FFC8C310000-0x00007FFC8D3BB000-memory.dmp

memory/2132-61-0x000001EBC40D0000-0x000001EBC5880000-memory.dmp

memory/2132-64-0x00007FFC8D3C0000-0x00007FFC8D674000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x418 0x2f0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3228-2-0x0000000000710000-0x000000000072F000-memory.dmp

memory/3228-1-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3228-4-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-5-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-6-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-7-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-8-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-9-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-10-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3228-11-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win7-20240419-en

Max time kernel

148s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:07

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe

"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:06

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Network

N/A

Files

memory/2748-3-0x0000000010012000-0x0000000010013000-memory.dmp

memory/2748-2-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2748-1-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2748-0-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 04:59

Reported

2024-05-10 05:06

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1116-0-0x0000000010000000-0x0000000010013000-memory.dmp