Analysis Overview
SHA256
9b1c965430289c82edff635e1b7650abddf9753e6ebe5e66f13770a766375f2e
Threat Level: Shows suspicious behavior
The file FabFilter_Total_Bundle_v2023.02.06.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 05:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10-20240404-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 1884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 1884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 1884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1884-0-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:24
Platform
win10-20240404-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 748 wrote to memory of 164 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 748 wrote to memory of 164 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 748 wrote to memory of 164 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ac
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\keygen.exe
| MD5 | d46b062d7f8ecf948d579ebe809cd597 |
| SHA1 | bba400b955bca8729bfdffb343d3b9f54cbb42f3 |
| SHA256 | 9dca86bab19f5f0cd7c71ac4797921c93c03894f2378b8b3f4e97d742c9c2ea3 |
| SHA512 | 2c93a1e061a9a77b5c4b5ba8e5f6b4809f225c28b9279cf341c54b8cb586834c7e1ca583df8d8ad4ce8458fcdee306b9f43043b5c2e3f9441f024b4591ce7d49 |
memory/164-7-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL
| MD5 | e4ec57e8508c5c4040383ebe6d367928 |
| SHA1 | b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06 |
| SHA256 | 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f |
| SHA512 | 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822 |
C:\Users\Admin\AppData\Local\Temp\R2RFBFKG.dll
| MD5 | 62695f6fa2a85fc9993f57dfcbdc2749 |
| SHA1 | 07a9b478df63fba4cf3002974b4cf56b404d0914 |
| SHA256 | 1ab33027c4965b027298651781a1c780c272818da189e2c3a8101ac578069260 |
| SHA512 | 69dd0de913629853400106811bffdebd8ec2037c93c9f9820d3f140e84576912de3ab57434086e20cf8698185015c27fa307e06047e2219dcf38a927a36f3c95 |
memory/164-13-0x00000000005C0000-0x00000000005DF000-memory.dmp
memory/164-15-0x0000000010000000-0x0000000010013000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bgm.it
| MD5 | 5e3c083251880c635f5ea6a0a6ed8e76 |
| SHA1 | e7fb44133e223140057243493159bdce01c5f080 |
| SHA256 | 9d460a48d7f7f461967c9065182456871606eef1c27f21767335b7d81384e141 |
| SHA512 | b4a6a5ad71a13f51989e1fccedb542ab528f6ab9bc3d60a4c93c59e544b8eaa06ca7b9fe79c1d9a5c92b61345c18e38736561cd21426bc9e43ae3a4c59424284 |
memory/164-19-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-20-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-21-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-22-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-23-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-24-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-25-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-26-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-27-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-28-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-29-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-30-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-31-0x0000000010000000-0x0000000010013000-memory.dmp
memory/164-32-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 552 wrote to memory of 528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 552 wrote to memory of 528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 552 wrote to memory of 528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/528-0-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
105s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4104 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4104 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4104 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10-20240404-en
Max time kernel
141s
Max time network
138s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$TEMP\bgm.it"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/4284-7-0x00007FF6EFF30000-0x00007FF6F0028000-memory.dmp
memory/4284-8-0x00007FFA66F00000-0x00007FFA66F34000-memory.dmp
memory/4284-10-0x00007FFA6A940000-0x00007FFA6A958000-memory.dmp
memory/4284-9-0x00007FFA66240000-0x00007FFA664F6000-memory.dmp
memory/4284-16-0x00007FFA66E40000-0x00007FFA66E51000-memory.dmp
memory/4284-17-0x00007FFA57600000-0x00007FFA5780B000-memory.dmp
memory/4284-15-0x00007FFA66E60000-0x00007FFA66E7D000-memory.dmp
memory/4284-14-0x00007FFA66E80000-0x00007FFA66E91000-memory.dmp
memory/4284-13-0x00007FFA66EA0000-0x00007FFA66EB7000-memory.dmp
memory/4284-12-0x00007FFA66EC0000-0x00007FFA66ED1000-memory.dmp
memory/4284-11-0x00007FFA66EE0000-0x00007FFA66EF7000-memory.dmp
memory/4284-26-0x00007FFA63180000-0x00007FFA63191000-memory.dmp
memory/4284-25-0x00007FFA66AE0000-0x00007FFA66AFB000-memory.dmp
memory/4284-24-0x00007FFA66B00000-0x00007FFA66B11000-memory.dmp
memory/4284-23-0x00007FFA66B20000-0x00007FFA66B31000-memory.dmp
memory/4284-22-0x00007FFA66D80000-0x00007FFA66D91000-memory.dmp
memory/4284-21-0x00007FFA66DA0000-0x00007FFA66DB8000-memory.dmp
memory/4284-20-0x00007FFA66DC0000-0x00007FFA66DE1000-memory.dmp
memory/4284-18-0x00007FFA56550000-0x00007FFA57600000-memory.dmp
memory/4284-19-0x00007FFA66DF0000-0x00007FFA66E31000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x3f4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/4480-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4480-1-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-2-0x00000000005D0000-0x00000000005EF000-memory.dmp
memory/4480-4-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-5-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-6-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-7-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-8-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-9-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-10-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-11-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-12-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-13-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-14-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-15-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-17-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4480-18-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:24
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3524 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 3524 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 3524 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\R2R\FabFilter_KeyGen.exe"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398 0x304
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\keygen.exe
| MD5 | d46b062d7f8ecf948d579ebe809cd597 |
| SHA1 | bba400b955bca8729bfdffb343d3b9f54cbb42f3 |
| SHA256 | 9dca86bab19f5f0cd7c71ac4797921c93c03894f2378b8b3f4e97d742c9c2ea3 |
| SHA512 | 2c93a1e061a9a77b5c4b5ba8e5f6b4809f225c28b9279cf341c54b8cb586834c7e1ca583df8d8ad4ce8458fcdee306b9f43043b5c2e3f9441f024b4591ce7d49 |
memory/2956-7-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2956-11-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-14-0x00000000005C0000-0x00000000005DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R2RFBFKG.dll
| MD5 | 62695f6fa2a85fc9993f57dfcbdc2749 |
| SHA1 | 07a9b478df63fba4cf3002974b4cf56b404d0914 |
| SHA256 | 1ab33027c4965b027298651781a1c780c272818da189e2c3a8101ac578069260 |
| SHA512 | 69dd0de913629853400106811bffdebd8ec2037c93c9f9820d3f140e84576912de3ab57434086e20cf8698185015c27fa307e06047e2219dcf38a927a36f3c95 |
C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll
| MD5 | e4ec57e8508c5c4040383ebe6d367928 |
| SHA1 | b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06 |
| SHA256 | 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f |
| SHA512 | 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822 |
C:\Users\Admin\AppData\Local\Temp\bgm.it
| MD5 | 5e3c083251880c635f5ea6a0a6ed8e76 |
| SHA1 | e7fb44133e223140057243493159bdce01c5f080 |
| SHA256 | 9d460a48d7f7f461967c9065182456871606eef1c27f21767335b7d81384e141 |
| SHA512 | b4a6a5ad71a13f51989e1fccedb542ab528f6ab9bc3d60a4c93c59e544b8eaa06ca7b9fe79c1d9a5c92b61345c18e38736561cd21426bc9e43ae3a4c59424284 |
memory/2956-17-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-18-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-19-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-20-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-21-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-22-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-23-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-24-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-25-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-26-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-27-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-28-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-29-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-30-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2956-31-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 4744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 4744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 4744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RFBFKG.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:24
Platform
win10-20240404-en
Max time kernel
153s
Max time network
136s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QQM0Q.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp | N/A |
Loads dropped DLL
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QQM0Q.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"
C:\Users\Admin\AppData\Local\Temp\is-QQM0Q.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QQM0Q.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp" /SL5="$50224,235174849,121344,C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/5096-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5096-2-0x0000000000401000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QQM0Q.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
| MD5 | 34acc2bdb45a9c436181426828c4cb49 |
| SHA1 | 5adaa1ac822e6128b8d4b59a54d19901880452ae |
| SHA256 | 9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07 |
| SHA512 | 134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb |
memory/288-6-0x0000000000400000-0x000000000052E000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AIQIN.tmp\R2RINNO.dll
| MD5 | 5df8ada84a16f5dfc24096ef90a5ce3a |
| SHA1 | 5e7e9c68119c3a0a1afc92c60674bc8714492823 |
| SHA256 | 48a9c8c332fde541b571d9d522d0e37834b452f55af8cbdc341b12222e78fb5b |
| SHA512 | 661b5219c74dd6e3a8e899a1b1a3002689d148e337d7323a174519366c9548c284ee76e2faa2f9600cd483db21093ee62399f0d7403c39523c654266760191c2 |
\Users\Admin\AppData\Local\Temp\is-AIQIN.tmp\ISSKINU.DLL
| MD5 | f30afccd6fafc1cad4567ada824c9358 |
| SHA1 | 60a65b72f208563f90fba0da6af013a36707caa9 |
| SHA256 | e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d |
| SHA512 | 59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c |
memory/288-14-0x0000000010000000-0x0000000010061000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AIQIN.tmp\SKIN.CJSTYLES
| MD5 | 5f87caf3f7cf63dde8e6af53bdf31289 |
| SHA1 | a2c3cc3d9d831acd797155b667db59a32000d7a8 |
| SHA256 | 4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940 |
| SHA512 | 4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d |
memory/288-30-0x0000000074F10000-0x0000000074F35000-memory.dmp
memory/288-29-0x0000000075040000-0x00000000750B7000-memory.dmp
memory/288-37-0x00000000749F0000-0x0000000074AE1000-memory.dmp
memory/288-36-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-33-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-34-0x0000000074F10000-0x0000000074F35000-memory.dmp
memory/288-32-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-31-0x0000000073B10000-0x0000000073B3E000-memory.dmp
memory/288-28-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-27-0x0000000074F10000-0x0000000074F35000-memory.dmp
memory/288-40-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-44-0x00000000749F0000-0x0000000074AE1000-memory.dmp
memory/288-43-0x0000000074370000-0x00000000744C9000-memory.dmp
memory/288-38-0x0000000075B80000-0x0000000076EC8000-memory.dmp
memory/288-83-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-82-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-79-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-80-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-76-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-77-0x00000000740B0000-0x0000000074128000-memory.dmp
memory/288-75-0x0000000074C20000-0x0000000074D0F000-memory.dmp
memory/288-74-0x0000000074FD0000-0x0000000075015000-memory.dmp
memory/288-72-0x00000000749F0000-0x0000000074AE1000-memory.dmp
memory/288-71-0x0000000074370000-0x00000000744C9000-memory.dmp
memory/288-69-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-67-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-64-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-63-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-62-0x00000000740B0000-0x0000000074128000-memory.dmp
memory/288-61-0x0000000074F10000-0x0000000074F35000-memory.dmp
memory/288-60-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-59-0x0000000074C20000-0x0000000074D0F000-memory.dmp
memory/288-86-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-87-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-85-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-78-0x0000000074080000-0x00000000740A3000-memory.dmp
memory/288-55-0x00000000740B0000-0x0000000074128000-memory.dmp
memory/288-70-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-68-0x00000000740B0000-0x0000000074128000-memory.dmp
memory/288-66-0x0000000074C20000-0x0000000074D0F000-memory.dmp
memory/288-50-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-49-0x00000000740B0000-0x0000000074128000-memory.dmp
memory/288-48-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-47-0x0000000074C20000-0x0000000074D0F000-memory.dmp
memory/288-46-0x0000000074FD0000-0x0000000075015000-memory.dmp
memory/288-57-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-56-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-54-0x0000000074130000-0x000000007433E000-memory.dmp
memory/288-53-0x0000000074C20000-0x0000000074D0F000-memory.dmp
memory/288-51-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-42-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-41-0x0000000073920000-0x0000000073A53000-memory.dmp
memory/288-39-0x0000000074C20000-0x0000000074D0F000-memory.dmp
memory/288-25-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-24-0x0000000075040000-0x00000000750B7000-memory.dmp
memory/288-35-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-21-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-26-0x0000000075040000-0x00000000750B7000-memory.dmp
memory/288-23-0x0000000010000000-0x0000000010061000-memory.dmp
memory/288-22-0x0000000075040000-0x00000000750B7000-memory.dmp
memory/288-20-0x0000000075040000-0x00000000750B7000-memory.dmp
memory/288-169-0x0000000000400000-0x000000000052E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
94s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$TEMP\bgm.it"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x500
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1676-6-0x00007FFDC21D0000-0x00007FFDC2204000-memory.dmp
memory/1676-5-0x00007FF7ADE40000-0x00007FF7ADF38000-memory.dmp
memory/1676-14-0x00007FFDBE0F0000-0x00007FFDBE101000-memory.dmp
memory/1676-13-0x00007FFDBE140000-0x00007FFDBE15D000-memory.dmp
memory/1676-15-0x00007FFDAE380000-0x00007FFDAE58B000-memory.dmp
memory/1676-12-0x00007FFDBE220000-0x00007FFDBE231000-memory.dmp
memory/1676-7-0x00007FFDAEBA0000-0x00007FFDAEE56000-memory.dmp
memory/1676-11-0x00007FFDBE240000-0x00007FFDBE257000-memory.dmp
memory/1676-10-0x00007FFDBE990000-0x00007FFDBE9A1000-memory.dmp
memory/1676-9-0x00007FFDC2180000-0x00007FFDC2197000-memory.dmp
memory/1676-8-0x00007FFDC3040000-0x00007FFDC3058000-memory.dmp
memory/1676-22-0x00007FFDBDF20000-0x00007FFDBDF31000-memory.dmp
memory/1676-23-0x00007FFDB4670000-0x00007FFDB46A5000-memory.dmp
memory/1676-21-0x00007FFDBDF40000-0x00007FFDBDF51000-memory.dmp
memory/1676-16-0x00007FFDAD2D0000-0x00007FFDAE380000-memory.dmp
memory/1676-20-0x00007FFDBDF60000-0x00007FFDBDF71000-memory.dmp
memory/1676-19-0x00007FFDBDF80000-0x00007FFDBDF98000-memory.dmp
memory/1676-18-0x00007FFDBE070000-0x00007FFDBE091000-memory.dmp
memory/1676-17-0x00007FFDBE0A0000-0x00007FFDBE0E1000-memory.dmp
memory/1676-35-0x00007FFDAD2D0000-0x00007FFDAE380000-memory.dmp
memory/1676-54-0x00007FFDAD2D0000-0x00007FFDAE380000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:23
Platform
win10-20240404-en
Max time kernel
149s
Max time network
81s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3bc
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4920-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4920-1-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-2-0x00000000004E0000-0x00000000004FF000-memory.dmp
memory/4920-6-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-7-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-13-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-14-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-15-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-17-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-18-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-20-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-21-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-22-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-23-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-24-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4920-25-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:24
Platform
win10v2004-20240508-en
Max time kernel
151s
Max time network
159s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp | N/A |
Loads dropped DLL
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe | C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp |
| PID 2156 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe | C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp |
| PID 2156 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe | C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"
C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp" /SL5="$A01E2,235174849,121344,C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\Setup FabFilter Total Bundle v2023.02.06.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2156-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2156-2-0x0000000000401000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4N5T0.tmp\Setup FabFilter Total Bundle v2023.02.06.tmp
| MD5 | 34acc2bdb45a9c436181426828c4cb49 |
| SHA1 | 5adaa1ac822e6128b8d4b59a54d19901880452ae |
| SHA256 | 9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07 |
| SHA512 | 134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb |
memory/5112-6-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-L0G91.tmp\R2RINNO.dll
| MD5 | 5df8ada84a16f5dfc24096ef90a5ce3a |
| SHA1 | 5e7e9c68119c3a0a1afc92c60674bc8714492823 |
| SHA256 | 48a9c8c332fde541b571d9d522d0e37834b452f55af8cbdc341b12222e78fb5b |
| SHA512 | 661b5219c74dd6e3a8e899a1b1a3002689d148e337d7323a174519366c9548c284ee76e2faa2f9600cd483db21093ee62399f0d7403c39523c654266760191c2 |
C:\Users\Admin\AppData\Local\Temp\is-L0G91.tmp\ISSKINU.DLL
| MD5 | f30afccd6fafc1cad4567ada824c9358 |
| SHA1 | 60a65b72f208563f90fba0da6af013a36707caa9 |
| SHA256 | e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d |
| SHA512 | 59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c |
memory/5112-14-0x0000000010000000-0x0000000010061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-L0G91.tmp\SKIN.CJSTYLES
| MD5 | 5f87caf3f7cf63dde8e6af53bdf31289 |
| SHA1 | a2c3cc3d9d831acd797155b667db59a32000d7a8 |
| SHA256 | 4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940 |
| SHA512 | 4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d |
memory/5112-20-0x00000000756B0000-0x000000007572A000-memory.dmp
memory/5112-26-0x00000000756B0000-0x000000007572A000-memory.dmp
memory/5112-27-0x00000000763A0000-0x00000000763C5000-memory.dmp
memory/5112-25-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-24-0x00000000756B0000-0x000000007572A000-memory.dmp
memory/5112-23-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-22-0x00000000756B0000-0x000000007572A000-memory.dmp
memory/5112-21-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-31-0x00000000746C0000-0x00000000746F0000-memory.dmp
memory/5112-36-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-35-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-34-0x00000000763A0000-0x00000000763C5000-memory.dmp
memory/5112-37-0x00000000762B0000-0x0000000076393000-memory.dmp
memory/5112-33-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-32-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-29-0x00000000756B0000-0x000000007572A000-memory.dmp
memory/5112-42-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-41-0x0000000074520000-0x0000000074642000-memory.dmp
memory/5112-40-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-39-0x00000000774E0000-0x000000007758F000-memory.dmp
memory/5112-30-0x00000000763A0000-0x00000000763C5000-memory.dmp
memory/5112-28-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-38-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-45-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-47-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-58-0x00000000774E0000-0x000000007758F000-memory.dmp
memory/5112-80-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-77-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-76-0x0000000074520000-0x0000000074642000-memory.dmp
memory/5112-75-0x0000000075340000-0x00000000753B4000-memory.dmp
memory/5112-74-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-71-0x00000000762B0000-0x0000000076393000-memory.dmp
memory/5112-70-0x00000000758E0000-0x00000000759BC000-memory.dmp
memory/5112-69-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-68-0x0000000074520000-0x0000000074642000-memory.dmp
memory/5112-67-0x0000000075340000-0x00000000753B4000-memory.dmp
memory/5112-66-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-64-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-63-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-62-0x0000000074520000-0x0000000074642000-memory.dmp
memory/5112-61-0x0000000075340000-0x00000000753B4000-memory.dmp
memory/5112-60-0x00000000763A0000-0x00000000763C5000-memory.dmp
memory/5112-59-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-57-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-79-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-56-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-55-0x0000000074520000-0x0000000074642000-memory.dmp
memory/5112-54-0x0000000075340000-0x00000000753B4000-memory.dmp
memory/5112-53-0x00000000753C0000-0x00000000755D0000-memory.dmp
memory/5112-78-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-52-0x00000000774E0000-0x000000007758F000-memory.dmp
memory/5112-51-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-73-0x00000000774E0000-0x000000007758F000-memory.dmp
memory/5112-72-0x0000000076EB0000-0x0000000077463000-memory.dmp
memory/5112-65-0x00000000774E0000-0x000000007758F000-memory.dmp
memory/5112-49-0x0000000074520000-0x0000000074642000-memory.dmp
memory/5112-48-0x0000000075340000-0x00000000753B4000-memory.dmp
memory/5112-46-0x00000000774E0000-0x000000007758F000-memory.dmp
memory/5112-50-0x0000000010000000-0x0000000010061000-memory.dmp
memory/5112-44-0x00000000762B0000-0x0000000076393000-memory.dmp
memory/5112-43-0x00000000758E0000-0x00000000759BC000-memory.dmp
memory/5112-160-0x0000000000400000-0x000000000052E000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:24
Platform
win10-20240404-en
Max time kernel
129s
Max time network
137s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 05:18
Reported
2024-05-10 05:24
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2023.02.06\TEAM R2R FabFilter Signature Checker\FF_SignatureCheck.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |