Analysis Overview
SHA256
d5be0d704750f73bfa21ca7345def0792273261aa9a4fde3f8d86f2eabce0ad0
Threat Level: Shows suspicious behavior
The file 4092bba54f030ee187b17c836c6793b0_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
VMProtect packed file
Drops file in Program Files directory
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-14 06:49
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 952 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Registration.bat | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Registration.bat""
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\ZCB\ZCB.dll
Network
Files
memory/2364-0-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-9-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-7-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-2-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-3-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-5-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-4-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-19-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-39-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-41-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-49-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-48-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-45-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-43-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-36-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-34-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-32-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-30-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-28-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-24-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-23-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-21-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-17-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-15-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2364-11-0x0000000010000000-0x000000001003D000-memory.dmp
C:\Program Files\Registration.bat
| MD5 | d68915023640e63dac11b6c7a1dfa07b |
| SHA1 | afac4d14e71d4474739455d71b197034edeef58a |
| SHA256 | cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937 |
| SHA512 | 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01 |
memory/2364-59-0x0000000010000000-0x000000001003D000-memory.dmp
\??\c:\ZCB\ZCB.dll
| MD5 | 679820559727944c864d3bdd4768a43f |
| SHA1 | 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5 |
| SHA256 | 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6 |
| SHA512 | 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38 |
memory/1936-65-0x0000000073E90000-0x00000000746E3000-memory.dmp
memory/1936-66-0x0000000073E90000-0x00000000746E3000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
104s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Registration.bat | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3400 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3400 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3400 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2488 wrote to memory of 1100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2488 wrote to memory of 1100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2488 wrote to memory of 1100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Registration.bat""
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\ZCB\ZCB.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3400-0-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-33-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-43-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-47-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-46-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-41-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-39-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-37-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-35-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-31-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-29-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-27-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-25-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-23-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-19-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-15-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-13-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-11-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-3-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-2-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-21-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-17-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-9-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-7-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-5-0x0000000010000000-0x000000001003D000-memory.dmp
memory/3400-4-0x0000000010000000-0x000000001003D000-memory.dmp
C:\Program Files\Registration.bat
| MD5 | d68915023640e63dac11b6c7a1dfa07b |
| SHA1 | afac4d14e71d4474739455d71b197034edeef58a |
| SHA256 | cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937 |
| SHA512 | 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01 |
\??\c:\ZCB\ZCB.dll
| MD5 | 679820559727944c864d3bdd4768a43f |
| SHA1 | 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5 |
| SHA256 | 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6 |
| SHA512 | 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38 |
memory/1100-55-0x0000000074B00000-0x0000000075353000-memory.dmp
memory/1100-56-0x0000000074B00000-0x0000000075353000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4544 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4544 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4544 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
123s
Max time network
132s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3792 wrote to memory of 2076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3792 wrote to memory of 2076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3792 wrote to memory of 2076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240419-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 2936 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4812 wrote to memory of 2936 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4812 wrote to memory of 2936 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/2936-0-0x0000000074660000-0x0000000074EB3000-memory.dmp
memory/2936-1-0x0000000074660000-0x0000000074EB3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240508-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1
Network
Files
memory/2304-1-0x00000000021F0000-0x000000000230A000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1884 wrote to memory of 3160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 3160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 3160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/3160-0-0x0000000002A90000-0x0000000002BAA000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Registration.bat | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Registration.bat""
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\ZCB\ZCB.dll
Network
Files
memory/2116-2-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-0-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-3-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-4-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-5-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-6-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-8-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-11-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-13-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-17-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-15-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-29-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-48-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-45-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-43-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-41-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-39-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-37-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-35-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-33-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-31-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-27-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-26-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-23-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-21-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2116-20-0x0000000010000000-0x000000001003D000-memory.dmp
C:\Program Files\Registration.bat
| MD5 | d68915023640e63dac11b6c7a1dfa07b |
| SHA1 | afac4d14e71d4474739455d71b197034edeef58a |
| SHA256 | cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937 |
| SHA512 | 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01 |
memory/2116-58-0x0000000010000000-0x000000001003D000-memory.dmp
\??\c:\ZCB\ZCB.dll
| MD5 | 679820559727944c864d3bdd4768a43f |
| SHA1 | 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5 |
| SHA256 | 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6 |
| SHA512 | 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38 |
memory/2572-64-0x0000000073A70000-0x00000000742C3000-memory.dmp
memory/2572-65-0x0000000073A70000-0x00000000742C3000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe"
Network
Files
memory/2932-0-0x0000000000400000-0x000000000049B000-memory.dmp
memory/2932-1-0x0000000000400000-0x000000000049B000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 804 wrote to memory of 3608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 3608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 804 wrote to memory of 3608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
102s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 4796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 4796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 4796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4020 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4020 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4020 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240508-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Registration.bat | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Registration.bat""
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\ZCB\ZCB.dll
Network
Files
memory/1784-4-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-2-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-12-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-0-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-46-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-44-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-42-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-40-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-38-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-36-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-34-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-32-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-30-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-28-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-26-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-24-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-22-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-20-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-18-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-16-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-14-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-10-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-8-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-6-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-5-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-3-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1784-49-0x0000000010000000-0x000000001003D000-memory.dmp
C:\Program Files\Registration.bat
| MD5 | d68915023640e63dac11b6c7a1dfa07b |
| SHA1 | afac4d14e71d4474739455d71b197034edeef58a |
| SHA256 | cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937 |
| SHA512 | 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01 |
\??\c:\ZCB\ZCB.dll
| MD5 | 679820559727944c864d3bdd4768a43f |
| SHA1 | 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5 |
| SHA256 | 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6 |
| SHA512 | 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38 |
memory/2448-62-0x0000000073FA0000-0x00000000747F3000-memory.dmp
memory/2448-64-0x0000000073FA0000-0x00000000747F3000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
106s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Registration.bat | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1516 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1516 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1444 wrote to memory of 3296 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 3296 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 3296 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Registration.bat""
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\ZCB\ZCB.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1516-43-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-46-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-48-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-47-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-41-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-39-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-36-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-33-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-32-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-30-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-27-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-25-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-23-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-22-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-19-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-17-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-15-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-13-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-11-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-9-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-7-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-3-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-2-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-0-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-37-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1516-5-0x0000000010000000-0x000000001003D000-memory.dmp
C:\Program Files\Registration.bat
| MD5 | d68915023640e63dac11b6c7a1dfa07b |
| SHA1 | afac4d14e71d4474739455d71b197034edeef58a |
| SHA256 | cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937 |
| SHA512 | 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01 |
\??\c:\ZCB\ZCB.dll
| MD5 | 679820559727944c864d3bdd4768a43f |
| SHA1 | 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5 |
| SHA256 | 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6 |
| SHA512 | 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38 |
memory/3296-56-0x0000000074C40000-0x0000000075493000-memory.dmp
memory/3296-57-0x0000000074C40000-0x0000000075493000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240426-en
Max time kernel
128s
Max time network
99s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1300-0-0x0000000000400000-0x000000000049B000-memory.dmp
memory/1300-1-0x0000000000400000-0x000000000049B000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
105s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1172 wrote to memory of 4300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1172 wrote to memory of 4300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1172 wrote to memory of 4300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2176 wrote to memory of 2348 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"
Network
Files
memory/2348-0-0x0000000074750000-0x0000000074FA3000-memory.dmp
memory/2348-1-0x0000000074750000-0x0000000074FA3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1632 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 2388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 2160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 4332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 220 wrote to memory of 4332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 220 wrote to memory of 4332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
131s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Registration.bat | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4768 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4768 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4768 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2600 wrote to memory of 3684 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2600 wrote to memory of 3684 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2600 wrote to memory of 3684 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe
"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Registration.bat""
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\ZCB\ZCB.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4768-19-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-37-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-46-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-45-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-43-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-41-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-39-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-35-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-33-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-31-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-29-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-27-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-25-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-23-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-21-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-17-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-15-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-9-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-7-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-4-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-3-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-2-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-13-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-11-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-5-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4768-0-0x0000000010000000-0x000000001003D000-memory.dmp
C:\Program Files\Registration.bat
| MD5 | d68915023640e63dac11b6c7a1dfa07b |
| SHA1 | afac4d14e71d4474739455d71b197034edeef58a |
| SHA256 | cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937 |
| SHA512 | 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01 |
\??\c:\ZCB\ZCB.dll
| MD5 | 679820559727944c864d3bdd4768a43f |
| SHA1 | 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5 |
| SHA256 | 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6 |
| SHA512 | 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38 |
memory/3684-54-0x0000000074D00000-0x0000000075553000-memory.dmp
memory/3684-55-0x0000000074D00000-0x0000000075553000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2620 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-14 06:49
Reported
2024-05-14 06:52
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 3140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |