Malware Analysis Report

2025-03-15 05:57

Sample ID 240512-nvra7add5x
Target 39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118
SHA256 95b0f18c1661324d752533a94e6cb17e460b46344135d82ff6b224f62545ce8c
Tags
vmprotect bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

95b0f18c1661324d752533a94e6cb17e460b46344135d82ff6b224f62545ce8c

Threat Level: Shows suspicious behavior

The file 39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect bootkit persistence

VMProtect packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 11:44

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 888 -ip 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe

"C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe"

C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

"C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe" show:=0;distsrc:=

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 push.51dzt.com udp
CN 101.126.4.125:80 push.51dzt.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

MD5 e74b76da172787dd4bea27c265abfb1f
SHA1 74079fc0e5557b7c56a7b15605f10c24169be277
SHA256 709ed9d7d7a59ef3856a49d66ff3368a858b727fedf6ebbf88124dfd75e27211
SHA512 25e92f86ee0973f1a7bcefbd9bc50d86a41e776196c532697c1f068d31a4c187469e9adf8a7864d72b51c9374332fef94add1ad64a1b60c7e2c0546de6422f50

C:\Users\Admin\AppData\Local\Temp\typsystp\QtGui4.dll

MD5 75b7949496826d53c00d68ba5b692fb9
SHA1 afc51095f9d00ed8a707b36c7f90c38ddc1110db
SHA256 e4b1d9f73f5ca43f3b5bd3be071aecf89c5bb26533b76fc2a44c3402e9647450
SHA512 d716276ad7f2a9cdbf124ffe2de2635beffd4c441b9e4f918774f6d9be9e848071ecd3345e61a7c0f609fea3d926e33b209c8ab5fdea1ae6e49975824f9e071f

C:\Users\Admin\AppData\Local\Temp\typsystp\QtNetwork4.dll

MD5 208abf2b2c48c1e325d1af099b9a9e3b
SHA1 6d3095579e7b0e58acbfe9b53f13ce6df3946e87
SHA256 478044d5b369d496e71e6a43c796ef589e9f90fb90378bfc5a4bcc415f38b4b2
SHA512 4c9f352955eae358f4ce20249e069947e743201e3914c8e5112f9c6902586b24a2133dc4c84eeafcdf3514f555403adbd2defb6214ca91aae0e7915c59a523dd

C:\Users\Admin\AppData\Local\Temp\typsystp\QtWebKit4.dll

MD5 913b5e5dfbfdf713683349dcbe34314e
SHA1 808f87cfe6390e070d6b768322b31693bb19d056
SHA256 2954c467499a1b754c68bdc109a9ff806621efabec22030ff81982ab690a4e2c
SHA512 7ae4a6322a57be53d4d8120039d3622f0422d1e110a84d33245d25e731bc177a91d6636e80729760c95d4411db6f924623e9573b8ed8909fe5398c245fa9a111

C:\Users\Admin\AppData\Local\Temp\typsystp\QtCore4.dll

MD5 19a44f86e3d00773d50f09b14fd76b09
SHA1 61d2810149ae15f67d68d5050d59b8625ae91675
SHA256 95bf5abdc6329a5eab173b28b9cf878835750df10babdf7f641e234d482321fa
SHA512 bf5266423f866e74a572fa902ea30f132d49885ad3f0563f2b2c679a8443b90461ba1c8e4ff2e76fb197255cb908b88f95cfcb1309045a3fbdddf33f04663035

C:\Users\Admin\AppData\Local\Temp\typsystp\QtXml4.dll

MD5 050a63393e0a94978d670f8af0bd5565
SHA1 69398a91d22d3b30e1765447cef4d2fb1f244ccb
SHA256 564d2b43f881a14cab5759f16952bc3b4097d0b32213feafa54ce46fa4e8b86d
SHA512 73f6bb1068756432e66de5720f850bae8653120fca30e5535894957eab17dd77bfc9beb586dc377b3b9ce10330f4c0ea7d93876e9191733d03f276d840ff7e7b

C:\Users\Admin\AppData\Local\Temp\typsystp\MSVCP100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

C:\Users\Admin\AppData\Local\Temp\typsystp\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\nsu3A2C.tmp\ioSpecial.ini

MD5 6b25c486ec7617a9c03ade59e6f439e7
SHA1 c8b2e2cefbc8840ca2c52273d1a1383eb1c69011
SHA256 bb2d29ef5862d3cc0bb583ad86474ef59e6c1264cd438e01453d927735f5f697
SHA512 acd7115cc245f5e64c0a9a51bd0c85971c846cff99fc826eb79ab4eeb5cfe0c47fc76b60d12904295a9e19128b656a1c95072d6dedc57821477b0cbcd2fbb7d7

C:\Users\Admin\AppData\Local\Temp\nsu3A2C.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\typsystp\qt.conf

MD5 33b056056f3cdc4294818b69d0728d07
SHA1 e15dcf8c03529bcf7a61dc50e890d219cd5be7f0
SHA256 f701cf678a100bf522384122b9db40932517be2d8a0bc69d86a4996b27d69227
SHA512 1693cfb26d5f0323aac7a1d760260386beb8562f04ad1585a233772e5dbe18fb7c4dbfdd1fe19e4e6457eb06fda2293812748832f5f3aecefabf32cc0634a19f

memory/4556-132-0x00000000030D0000-0x00000000030D4000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240220-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\taobao\DandelionSetup.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\taobao\DandelionSetup.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\taobao\DandelionSetup.exe"

C:\Users\Admin\AppData\Local\Temp\stats_uploader.exe

C:\Users\Admin\AppData\Local\Temp\stats_uploader.exe --normal-stats1=http://log.mmstat.com/bluesky.3.2.2.1.22?result=-1&pid= --normal-stats2=http://gm.mmstat.com/tblm.3.2.2.1.22?result=-1&pid=

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.mmstat.com udp
CN 59.82.33.225:80 log.mmstat.com tcp
US 8.8.8.8:53 gm.mmstat.com udp
CN 59.82.33.224:80 gm.mmstat.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi231B.tmp\nsDandelion.dll

MD5 6927cf0fc84a18907539d1bd98362a54
SHA1 39906c7daa52415cea2e613df1c3cb26221498ab
SHA256 7b815a3664f4e635e1defc30287db2daefe0fecbf51f1d690a11e60259c57d2f
SHA512 1164837cad2bbbfcad248d04bd712172fde0a0dfb1ba9860d8ef28c84f92e2ad657463bad9bad877ef0e3a13bb6fd7433fdfab23b2870df393cbe224df9080de

\Users\Admin\AppData\Local\Temp\nsi231B.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Users\Admin\AppData\Local\Temp\stats_uploader.exe

MD5 ab4b681deec86fec156d84d575eeae1b
SHA1 ff174febc794d98675ae600bdeb0108f58874bbc
SHA256 d04649845c71ed0f88c8988f1fdf6aee6418ce3613ebb1525c4e4ecb3178476a
SHA512 c567e98c57d43122710c4f257f02ac0d9b2430196ebaf0faabc2f23c862ad5a7afabb46d77fa68a58cdb54f8cf6911fc411759f364a7aa929c3662e2a211f017

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 236

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nav360.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\nav360.exe

"C:\Users\Admin\AppData\Local\Temp\nav360.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EnumINI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 1660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 1660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 1660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EnumINI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EnumINI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1660 -ip 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe

"C:\Users\Admin\AppData\Local\Temp\$_11_\$EXEFILE.exe"

C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

"C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe" show:=0;distsrc:=

Network

Country Destination Domain Proto
US 8.8.8.8:53 push.51dzt.com udp
CN 101.126.69.5:80 push.51dzt.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsj938B.tmp\iorecommender3.ini

MD5 f498e479fb939862f1a36e5551fb9172
SHA1 e0f2ffb91aecdce688b97e3b157c0c6156705134
SHA256 35ff1059fa5ded6af7dbf88e53fe1597879ee43cdb24f0edd9ceed2ae2fec877
SHA512 bd7bc5a3ae9c38d9948f3f56ba24280e8c4b5d2e89039e0d08862a023473a2244fa243006a938320bdaefc3584cd55999ae961115d1961ef458ceab1ef5e3fd0

\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

MD5 e74b76da172787dd4bea27c265abfb1f
SHA1 74079fc0e5557b7c56a7b15605f10c24169be277
SHA256 709ed9d7d7a59ef3856a49d66ff3368a858b727fedf6ebbf88124dfd75e27211
SHA512 25e92f86ee0973f1a7bcefbd9bc50d86a41e776196c532697c1f068d31a4c187469e9adf8a7864d72b51c9374332fef94add1ad64a1b60c7e2c0546de6422f50

C:\Users\Admin\AppData\Local\Temp\typsystp\QtCore4.dll

MD5 19a44f86e3d00773d50f09b14fd76b09
SHA1 61d2810149ae15f67d68d5050d59b8625ae91675
SHA256 95bf5abdc6329a5eab173b28b9cf878835750df10babdf7f641e234d482321fa
SHA512 bf5266423f866e74a572fa902ea30f132d49885ad3f0563f2b2c679a8443b90461ba1c8e4ff2e76fb197255cb908b88f95cfcb1309045a3fbdddf33f04663035

C:\Users\Admin\AppData\Local\Temp\typsystp\MSVCP100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

C:\Users\Admin\AppData\Local\Temp\typsystp\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\typsystp\QtGui4.dll

MD5 75b7949496826d53c00d68ba5b692fb9
SHA1 afc51095f9d00ed8a707b36c7f90c38ddc1110db
SHA256 e4b1d9f73f5ca43f3b5bd3be071aecf89c5bb26533b76fc2a44c3402e9647450
SHA512 d716276ad7f2a9cdbf124ffe2de2635beffd4c441b9e4f918774f6d9be9e848071ecd3345e61a7c0f609fea3d926e33b209c8ab5fdea1ae6e49975824f9e071f

C:\Users\Admin\AppData\Local\Temp\nsj938B.tmp\ioSpecial.ini

MD5 f8524d57f5d59cca0edf74c8da8a7bb2
SHA1 aa16baf4af18a4d4a05af79007d6896f30947116
SHA256 76fefaecc58f4d2a5d70048471bad4bbcdce67e7ed25643e54ef4320165e0b1f
SHA512 39f5d7c4fcd1d775b04b71eaf39f629ebb370b73dffbc3d5034267eb3b23e05aea99c5bd3b2ece6db5610e2745289e73c36efa3cc270be42fea2b972ba3ddd76

\Users\Admin\AppData\Local\Temp\nsj938B.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsj938B.tmp\ioSpecial.ini

MD5 a9b0a4c107c6cd9e8d6c354efb6040e8
SHA1 d7780622252a32acdc7cc3d8d6e6eed437404d5b
SHA256 6d8e668a99c958f56a06a4bef38c904f952c5cdda06ea3e5531fc3ff9f6b5204
SHA512 9c84b3b44215d308c3de8ab4fed001265aac7ea55010529b5ac8dbb49763df713c5ffd13afe0d007ae05cd6917346be8ffb7b0efb89c691b9d2ec4913fb709a0

C:\Users\Admin\AppData\Local\Temp\typsystp\QtWebKit4.dll

MD5 913b5e5dfbfdf713683349dcbe34314e
SHA1 808f87cfe6390e070d6b768322b31693bb19d056
SHA256 2954c467499a1b754c68bdc109a9ff806621efabec22030ff81982ab690a4e2c
SHA512 7ae4a6322a57be53d4d8120039d3622f0422d1e110a84d33245d25e731bc177a91d6636e80729760c95d4411db6f924623e9573b8ed8909fe5398c245fa9a111

\Users\Admin\AppData\Local\Temp\typsystp\QtNetwork4.dll

MD5 208abf2b2c48c1e325d1af099b9a9e3b
SHA1 6d3095579e7b0e58acbfe9b53f13ce6df3946e87
SHA256 478044d5b369d496e71e6a43c796ef589e9f90fb90378bfc5a4bcc415f38b4b2
SHA512 4c9f352955eae358f4ce20249e069947e743201e3914c8e5112f9c6902586b24a2133dc4c84eeafcdf3514f555403adbd2defb6214ca91aae0e7915c59a523dd

C:\Users\Admin\AppData\Local\Temp\typsystp\qt.conf

MD5 33b056056f3cdc4294818b69d0728d07
SHA1 e15dcf8c03529bcf7a61dc50e890d219cd5be7f0
SHA256 f701cf678a100bf522384122b9db40932517be2d8a0bc69d86a4996b27d69227
SHA512 1693cfb26d5f0323aac7a1d760260386beb8562f04ad1585a233772e5dbe18fb7c4dbfdd1fe19e4e6457eb06fda2293812748832f5f3aecefabf32cc0634a19f

\Users\Admin\AppData\Local\Temp\typsystp\QtXml4.dll

MD5 050a63393e0a94978d670f8af0bd5565
SHA1 69398a91d22d3b30e1765447cef4d2fb1f244ccb
SHA256 564d2b43f881a14cab5759f16952bc3b4097d0b32213feafa54ce46fa4e8b86d
SHA512 73f6bb1068756432e66de5720f850bae8653120fca30e5535894957eab17dd77bfc9beb586dc377b3b9ce10330f4c0ea7d93876e9191733d03f276d840ff7e7b

memory/2084-129-0x0000000000180000-0x0000000000184000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3332 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3332 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4296 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4296 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EnumINI.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EnumINI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EnumINI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240419-en

Max time kernel

121s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 version.51dzt.com udp
US 8.8.8.8:53 kad.www.wps.cn udp
US 8.8.8.8:53 teinfo.wps.cn udp
CN 120.131.3.164:80 teinfo.wps.cn tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240220-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 228

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4824 -ip 4824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240215-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v6svc_oem.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v6svc_oem.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v6svc_oem.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\nav360\nav360.4.0.1.2.zh.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\nav360\nav360.4.0.1.2.zh.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\nav360\nav360.4.0.1.2.zh.exe"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240215-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 236

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:47

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\taobao\DandelionSetup.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\taobao\DandelionSetup.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\taobao\DandelionSetup.exe"

C:\Users\Admin\AppData\Local\Temp\stats_uploader.exe

C:\Users\Admin\AppData\Local\Temp\stats_uploader.exe --normal-stats1=http://log.mmstat.com/bluesky.3.2.2.1.22?result=-1&pid= --normal-stats2=http://gm.mmstat.com/tblm.3.2.2.1.22?result=-1&pid=

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 log.mmstat.com udp
CN 59.82.33.225:80 log.mmstat.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gm.mmstat.com udp
CN 59.82.33.224:80 gm.mmstat.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsv849D.tmp\nsDandelion.dll

MD5 6927cf0fc84a18907539d1bd98362a54
SHA1 39906c7daa52415cea2e613df1c3cb26221498ab
SHA256 7b815a3664f4e635e1defc30287db2daefe0fecbf51f1d690a11e60259c57d2f
SHA512 1164837cad2bbbfcad248d04bd712172fde0a0dfb1ba9860d8ef28c84f92e2ad657463bad9bad877ef0e3a13bb6fd7433fdfab23b2870df393cbe224df9080de

C:\Users\Admin\AppData\Local\Temp\nsv849D.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Local\Temp\stats_uploader.exe

MD5 ab4b681deec86fec156d84d575eeae1b
SHA1 ff174febc794d98675ae600bdeb0108f58874bbc
SHA256 d04649845c71ed0f88c8988f1fdf6aee6418ce3613ebb1525c4e4ecb3178476a
SHA512 c567e98c57d43122710c4f257f02ac0d9b2430196ebaf0faabc2f23c862ad5a7afabb46d77fa68a58cdb54f8cf6911fc411759f364a7aa929c3662e2a211f017

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v6svc_oem.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v6svc_oem.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v6svc_oem.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\TypeEasyData\download\uplive.exe"

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 version.51dzt.com udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 kad.www.wps.cn udp
US 8.8.8.8:53 teinfo.wps.cn udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
CN 120.131.3.164:80 teinfo.wps.cn tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

128s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\nav360\nav360.4.0.1.2.zh.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\nav360\nav360.4.0.1.2.zh.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\nav360\nav360.4.0.1.2.zh.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nav360.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\nav360.exe

"C:\Users\Admin\AppData\Local\Temp\nav360.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4400 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4400 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240508-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe
PID 1796 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe
PID 1796 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe
PID 1796 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe
PID 2604 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe
PID 2604 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe
PID 2604 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe
PID 2604 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

"C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe" show:=0;distsrc:=12012.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 push.51dzt.com udp
CN 101.126.4.125:80 push.51dzt.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst283A.tmp\v6svc_oem.dll

MD5 77ae6eb2b0b2458b87b1e2cfa9b33bf2
SHA1 624933fd54964d1d13b7ba281fddda51b3ce071c
SHA256 c672794f4abd71872ceb48445fa8b30e21698dfa818d22f0ad67ac0d85df9290
SHA512 bc77d229fa5c431c2cfc2e853229b8b44ce70cdd8757bb03391d5bafd9212752dfa4402606ea1115fac9f0ea9379afa9432c996b734709909556c89ffa8bda7f

\Users\Admin\AppData\Local\Temp\nst283A.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst283A.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe

MD5 5b4bf2e6f1d951dd71132b761180cca3
SHA1 7b1ea94e6f333d5e2a6b986e6917c3e0fd3bebab
SHA256 0847888f9209018de9249c9da43b0b0ac290bb72285e92e7dfc26ef1708116ed
SHA512 f1437763319da9e7b920a249775e2ca679a943bfa1b28350ede78bb7be433ca57aa6610cbdd79670ff0dac664510207a7575738857df23bf753554c10c8576c5

C:\Users\Admin\AppData\Local\Temp\nsy33A0.tmp\iorecommender3.ini

MD5 f498e479fb939862f1a36e5551fb9172
SHA1 e0f2ffb91aecdce688b97e3b157c0c6156705134
SHA256 35ff1059fa5ded6af7dbf88e53fe1597879ee43cdb24f0edd9ceed2ae2fec877
SHA512 bd7bc5a3ae9c38d9948f3f56ba24280e8c4b5d2e89039e0d08862a023473a2244fa243006a938320bdaefc3584cd55999ae961115d1961ef458ceab1ef5e3fd0

C:\Users\Admin\AppData\Local\Temp\nst283A.tmp\oem.ini

MD5 dfe29cd206469fc8d65fda65da046601
SHA1 3d025d2f04573dabe1675e36a56b225366954dad
SHA256 fadd693fa0bca01d2b21039424cb8ff044cfc951cacaa89c1bf84307a4147975
SHA512 d56a12516046a32161ea6f98d36fed08ad3c3684be4c9b1f30f0f56c20ca072adea13e4dff01c7d91d3979a8f7e672dd43158615bb23bdc7ac8c7acaec899c8e

\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

MD5 e74b76da172787dd4bea27c265abfb1f
SHA1 74079fc0e5557b7c56a7b15605f10c24169be277
SHA256 709ed9d7d7a59ef3856a49d66ff3368a858b727fedf6ebbf88124dfd75e27211
SHA512 25e92f86ee0973f1a7bcefbd9bc50d86a41e776196c532697c1f068d31a4c187469e9adf8a7864d72b51c9374332fef94add1ad64a1b60c7e2c0546de6422f50

C:\Users\Admin\AppData\Local\Temp\typsystp\QtCore4.dll

MD5 19a44f86e3d00773d50f09b14fd76b09
SHA1 61d2810149ae15f67d68d5050d59b8625ae91675
SHA256 95bf5abdc6329a5eab173b28b9cf878835750df10babdf7f641e234d482321fa
SHA512 bf5266423f866e74a572fa902ea30f132d49885ad3f0563f2b2c679a8443b90461ba1c8e4ff2e76fb197255cb908b88f95cfcb1309045a3fbdddf33f04663035

C:\Users\Admin\AppData\Local\Temp\typsystp\MSVCP100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

C:\Users\Admin\AppData\Local\Temp\typsystp\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\typsystp\QtGui4.dll

MD5 75b7949496826d53c00d68ba5b692fb9
SHA1 afc51095f9d00ed8a707b36c7f90c38ddc1110db
SHA256 e4b1d9f73f5ca43f3b5bd3be071aecf89c5bb26533b76fc2a44c3402e9647450
SHA512 d716276ad7f2a9cdbf124ffe2de2635beffd4c441b9e4f918774f6d9be9e848071ecd3345e61a7c0f609fea3d926e33b209c8ab5fdea1ae6e49975824f9e071f

C:\Users\Admin\AppData\Local\Temp\typsystp\QtNetwork4.dll

MD5 208abf2b2c48c1e325d1af099b9a9e3b
SHA1 6d3095579e7b0e58acbfe9b53f13ce6df3946e87
SHA256 478044d5b369d496e71e6a43c796ef589e9f90fb90378bfc5a4bcc415f38b4b2
SHA512 4c9f352955eae358f4ce20249e069947e743201e3914c8e5112f9c6902586b24a2133dc4c84eeafcdf3514f555403adbd2defb6214ca91aae0e7915c59a523dd

C:\Users\Admin\AppData\Local\Temp\typsystp\QtWebKit4.dll

MD5 913b5e5dfbfdf713683349dcbe34314e
SHA1 808f87cfe6390e070d6b768322b31693bb19d056
SHA256 2954c467499a1b754c68bdc109a9ff806621efabec22030ff81982ab690a4e2c
SHA512 7ae4a6322a57be53d4d8120039d3622f0422d1e110a84d33245d25e731bc177a91d6636e80729760c95d4411db6f924623e9573b8ed8909fe5398c245fa9a111

C:\Users\Admin\AppData\Local\Temp\typsystp\QtXml4.dll

MD5 050a63393e0a94978d670f8af0bd5565
SHA1 69398a91d22d3b30e1765447cef4d2fb1f244ccb
SHA256 564d2b43f881a14cab5759f16952bc3b4097d0b32213feafa54ce46fa4e8b86d
SHA512 73f6bb1068756432e66de5720f850bae8653120fca30e5535894957eab17dd77bfc9beb586dc377b3b9ce10330f4c0ea7d93876e9191733d03f276d840ff7e7b

C:\Users\Admin\AppData\Local\Temp\nsy33A0.tmp\ioSpecial.ini

MD5 39c998aad6c97b3ba65ece4fd09ebdfc
SHA1 71de837726edcd985c9fea1b8d792ff8149d02f2
SHA256 7e082fc719cf36288e4224a68a5a9d1fd1039708ea28c07deddd17db013504fb
SHA512 678de692aca2b55d1be6ea70fb502b29fb968481cb9ecfe0526e021ec8da9611ea6a4d0ca6e1497a602c2c813f72245ffc33480226fc36a16381be9e7c048497

\Users\Admin\AppData\Local\Temp\nsy33A0.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsy33A0.tmp\ioSpecial.ini

MD5 7a2c5b9e4be8f497f43fdfbc90b03b3d
SHA1 30e89e744873343d06ad7a8db9d35c550e169d67
SHA256 28cd4b24f5785189bf23e129c8eb840aebe27caa5ca08950b5391d56b1230de8
SHA512 8e19183f279d4d3efc6ea26bfa1afc11fca3cce3b188449a9590eeefe4624f6e930adfd2fd0e466aaff4b34e6aa368efbe06a95003ceffdafbabd0585553b5c1

C:\Users\Admin\AppData\Local\Temp\typsystp\qt.conf

MD5 33b056056f3cdc4294818b69d0728d07
SHA1 e15dcf8c03529bcf7a61dc50e890d219cd5be7f0
SHA256 f701cf678a100bf522384122b9db40932517be2d8a0bc69d86a4996b27d69227
SHA512 1693cfb26d5f0323aac7a1d760260386beb8562f04ad1585a233772e5dbe18fb7c4dbfdd1fe19e4e6457eb06fda2293812748832f5f3aecefabf32cc0634a19f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

"C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe" show:=0;distsrc:=12012.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 push.51dzt.com udp
CN 119.3.210.249:80 push.51dzt.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\v6svc_oem.dll

MD5 77ae6eb2b0b2458b87b1e2cfa9b33bf2
SHA1 624933fd54964d1d13b7ba281fddda51b3ce071c
SHA256 c672794f4abd71872ceb48445fa8b30e21698dfa818d22f0ad67ac0d85df9290
SHA512 bc77d229fa5c431c2cfc2e853229b8b44ce70cdd8757bb03391d5bafd9212752dfa4402606ea1115fac9f0ea9379afa9432c996b734709909556c89ffa8bda7f

C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\39ed7032343bd7c7c4db33a6fbc629d4_JaffaCakes118.exe

MD5 5b4bf2e6f1d951dd71132b761180cca3
SHA1 7b1ea94e6f333d5e2a6b986e6917c3e0fd3bebab
SHA256 0847888f9209018de9249c9da43b0b0ac290bb72285e92e7dfc26ef1708116ed
SHA512 f1437763319da9e7b920a249775e2ca679a943bfa1b28350ede78bb7be433ca57aa6610cbdd79670ff0dac664510207a7575738857df23bf753554c10c8576c5

C:\Users\Admin\AppData\Local\Temp\nsm7F82.tmp\iorecommender3.ini

MD5 f498e479fb939862f1a36e5551fb9172
SHA1 e0f2ffb91aecdce688b97e3b157c0c6156705134
SHA256 35ff1059fa5ded6af7dbf88e53fe1597879ee43cdb24f0edd9ceed2ae2fec877
SHA512 bd7bc5a3ae9c38d9948f3f56ba24280e8c4b5d2e89039e0d08862a023473a2244fa243006a938320bdaefc3584cd55999ae961115d1961ef458ceab1ef5e3fd0

C:\Users\Admin\AppData\Local\Temp\nsl7BD8.tmp\oem.ini

MD5 dfe29cd206469fc8d65fda65da046601
SHA1 3d025d2f04573dabe1675e36a56b225366954dad
SHA256 fadd693fa0bca01d2b21039424cb8ff044cfc951cacaa89c1bf84307a4147975
SHA512 d56a12516046a32161ea6f98d36fed08ad3c3684be4c9b1f30f0f56c20ca072adea13e4dff01c7d91d3979a8f7e672dd43158615bb23bdc7ac8c7acaec899c8e

C:\Users\Admin\AppData\Local\Temp\typsystp\typsycncntrtn.exe

MD5 e74b76da172787dd4bea27c265abfb1f
SHA1 74079fc0e5557b7c56a7b15605f10c24169be277
SHA256 709ed9d7d7a59ef3856a49d66ff3368a858b727fedf6ebbf88124dfd75e27211
SHA512 25e92f86ee0973f1a7bcefbd9bc50d86a41e776196c532697c1f068d31a4c187469e9adf8a7864d72b51c9374332fef94add1ad64a1b60c7e2c0546de6422f50

C:\Users\Admin\AppData\Local\Temp\typsystp\QtGui4.dll

MD5 75b7949496826d53c00d68ba5b692fb9
SHA1 afc51095f9d00ed8a707b36c7f90c38ddc1110db
SHA256 e4b1d9f73f5ca43f3b5bd3be071aecf89c5bb26533b76fc2a44c3402e9647450
SHA512 d716276ad7f2a9cdbf124ffe2de2635beffd4c441b9e4f918774f6d9be9e848071ecd3345e61a7c0f609fea3d926e33b209c8ab5fdea1ae6e49975824f9e071f

C:\Users\Admin\AppData\Local\Temp\typsystp\QtNetwork4.dll

MD5 208abf2b2c48c1e325d1af099b9a9e3b
SHA1 6d3095579e7b0e58acbfe9b53f13ce6df3946e87
SHA256 478044d5b369d496e71e6a43c796ef589e9f90fb90378bfc5a4bcc415f38b4b2
SHA512 4c9f352955eae358f4ce20249e069947e743201e3914c8e5112f9c6902586b24a2133dc4c84eeafcdf3514f555403adbd2defb6214ca91aae0e7915c59a523dd

C:\Users\Admin\AppData\Local\Temp\typsystp\QtCore4.dll

MD5 19a44f86e3d00773d50f09b14fd76b09
SHA1 61d2810149ae15f67d68d5050d59b8625ae91675
SHA256 95bf5abdc6329a5eab173b28b9cf878835750df10babdf7f641e234d482321fa
SHA512 bf5266423f866e74a572fa902ea30f132d49885ad3f0563f2b2c679a8443b90461ba1c8e4ff2e76fb197255cb908b88f95cfcb1309045a3fbdddf33f04663035

C:\Users\Admin\AppData\Local\Temp\typsystp\QtWebKit4.dll

MD5 913b5e5dfbfdf713683349dcbe34314e
SHA1 808f87cfe6390e070d6b768322b31693bb19d056
SHA256 2954c467499a1b754c68bdc109a9ff806621efabec22030ff81982ab690a4e2c
SHA512 7ae4a6322a57be53d4d8120039d3622f0422d1e110a84d33245d25e731bc177a91d6636e80729760c95d4411db6f924623e9573b8ed8909fe5398c245fa9a111

C:\Users\Admin\AppData\Local\Temp\typsystp\QtXml4.dll

MD5 050a63393e0a94978d670f8af0bd5565
SHA1 69398a91d22d3b30e1765447cef4d2fb1f244ccb
SHA256 564d2b43f881a14cab5759f16952bc3b4097d0b32213feafa54ce46fa4e8b86d
SHA512 73f6bb1068756432e66de5720f850bae8653120fca30e5535894957eab17dd77bfc9beb586dc377b3b9ce10330f4c0ea7d93876e9191733d03f276d840ff7e7b

C:\Users\Admin\AppData\Local\Temp\typsystp\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\nsm7F82.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\typsystp\qt.conf

MD5 33b056056f3cdc4294818b69d0728d07
SHA1 e15dcf8c03529bcf7a61dc50e890d219cd5be7f0
SHA256 f701cf678a100bf522384122b9db40932517be2d8a0bc69d86a4996b27d69227
SHA512 1693cfb26d5f0323aac7a1d760260386beb8562f04ad1585a233772e5dbe18fb7c4dbfdd1fe19e4e6457eb06fda2293812748832f5f3aecefabf32cc0634a19f

C:\Users\Admin\AppData\Local\Temp\nsm7F82.tmp\ioSpecial.ini

MD5 d98015cd54d3fb91bb70c6f2fcba4122
SHA1 4b78e4b904ddcff399dfdadbe44d14107474495d
SHA256 1e1dd055bc2870ba484ad2e3131ed1a1a4ea57a26cbe4b0c70a9821136aeffe0
SHA512 814de99449ebcbdfe2c83187a113cbaaf717758b7e97c2688022b824194083e50063c7a8297e8695c5c4d3f17d42c1b67c8600df51930dadbd6a0d02d42376a3

C:\Users\Admin\AppData\Local\Temp\typsystp\msvcp100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 4012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3312 wrote to memory of 4012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3312 wrote to memory of 4012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 776 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 776 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 776 wrote to memory of 4208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-12 11:43

Reported

2024-05-12 11:46

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A