Malware Analysis Report

2025-03-15 05:55

Sample ID 240514-hllfpaee77
Target 4092bba54f030ee187b17c836c6793b0_JaffaCakes118
SHA256 d5be0d704750f73bfa21ca7345def0792273261aa9a4fde3f8d86f2eabce0ad0
Tags
upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d5be0d704750f73bfa21ca7345def0792273261aa9a4fde3f8d86f2eabce0ad0

Threat Level: Shows suspicious behavior

The file 4092bba54f030ee187b17c836c6793b0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx vmprotect

Loads dropped DLL

UPX packed file

VMProtect packed file

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-14 06:49

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Registration.bat C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Registration.bat""

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 c:\ZCB\ZCB.dll

Network

N/A

Files

memory/2364-0-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-9-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-7-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-3-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-5-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-4-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-19-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-49-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-48-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-45-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-36-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-34-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-32-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-30-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-28-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-24-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-21-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-15-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2364-11-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files\Registration.bat

MD5 d68915023640e63dac11b6c7a1dfa07b
SHA1 afac4d14e71d4474739455d71b197034edeef58a
SHA256 cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937
SHA512 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01

memory/2364-59-0x0000000010000000-0x000000001003D000-memory.dmp

\??\c:\ZCB\ZCB.dll

MD5 679820559727944c864d3bdd4768a43f
SHA1 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5
SHA256 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6
SHA512 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38

memory/1936-65-0x0000000073E90000-0x00000000746E3000-memory.dmp

memory/1936-66-0x0000000073E90000-0x00000000746E3000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Registration.bat C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Registration.bat""

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 c:\ZCB\ZCB.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3400-0-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-47-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-46-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-31-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-29-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-25-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-19-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-15-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-13-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-11-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-3-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-21-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-9-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-7-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-5-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3400-4-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files\Registration.bat

MD5 d68915023640e63dac11b6c7a1dfa07b
SHA1 afac4d14e71d4474739455d71b197034edeef58a
SHA256 cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937
SHA512 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01

\??\c:\ZCB\ZCB.dll

MD5 679820559727944c864d3bdd4768a43f
SHA1 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5
SHA256 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6
SHA512 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38

memory/1100-55-0x0000000074B00000-0x0000000075353000-memory.dmp

memory/1100-56-0x0000000074B00000-0x0000000075353000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

123s

Max time network

132s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3792 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3792 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3792 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240419-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

100s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\EThread.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 2936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4812 wrote to memory of 2936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4812 wrote to memory of 2936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2936-0-0x0000000074660000-0x0000000074EB3000-memory.dmp

memory/2936-1-0x0000000074660000-0x0000000074EB3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\BmpOperate.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext3.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1

Network

N/A

Files

memory/2304-1-0x00000000021F0000-0x000000000230A000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\spec.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/3160-0-0x0000000002A90000-0x0000000002BAA000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Registration.bat C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手_原版.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Registration.bat""

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 c:\ZCB\ZCB.dll

Network

N/A

Files

memory/2116-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-0-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-3-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-4-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-5-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-6-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-8-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-11-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-13-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-15-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-29-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-48-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-45-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-31-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-26-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-21-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2116-20-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files\Registration.bat

MD5 d68915023640e63dac11b6c7a1dfa07b
SHA1 afac4d14e71d4474739455d71b197034edeef58a
SHA256 cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937
SHA512 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01

memory/2116-58-0x0000000010000000-0x000000001003D000-memory.dmp

\??\c:\ZCB\ZCB.dll

MD5 679820559727944c864d3bdd4768a43f
SHA1 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5
SHA256 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6
SHA512 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38

memory/2572-64-0x0000000073A70000-0x00000000742C3000-memory.dmp

memory/2572-65-0x0000000073A70000-0x00000000742C3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe"

Network

N/A

Files

memory/2932-0-0x0000000000400000-0x000000000049B000-memory.dmp

memory/2932-1-0x0000000000400000-0x000000000049B000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 3608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 804 wrote to memory of 3608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 804 wrote to memory of 3608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

102s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 4796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4080 wrote to memory of 4796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4080 wrote to memory of 4796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\krnln.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240221-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Registration.bat C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Registration.bat""

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 c:\ZCB\ZCB.dll

Network

N/A

Files

memory/1784-4-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-12-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-0-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-46-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-44-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-42-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-40-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-38-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-36-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-34-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-32-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-30-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-28-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-26-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-24-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-22-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-20-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-18-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-16-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-14-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-10-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-8-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-6-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-5-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-3-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1784-49-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files\Registration.bat

MD5 d68915023640e63dac11b6c7a1dfa07b
SHA1 afac4d14e71d4474739455d71b197034edeef58a
SHA256 cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937
SHA512 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01

\??\c:\ZCB\ZCB.dll

MD5 679820559727944c864d3bdd4768a43f
SHA1 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5
SHA256 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6
SHA512 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38

memory/2448-62-0x0000000073FA0000-0x00000000747F3000-memory.dmp

memory/2448-64-0x0000000073FA0000-0x00000000747F3000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Registration.bat C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Registration.bat""

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 c:\ZCB\ZCB.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1516-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-46-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-48-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-47-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-36-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-32-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-30-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-25-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-22-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-19-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-15-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-13-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-11-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-9-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-7-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-3-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-0-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1516-5-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files\Registration.bat

MD5 d68915023640e63dac11b6c7a1dfa07b
SHA1 afac4d14e71d4474739455d71b197034edeef58a
SHA256 cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937
SHA512 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01

\??\c:\ZCB\ZCB.dll

MD5 679820559727944c864d3bdd4768a43f
SHA1 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5
SHA256 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6
SHA512 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38

memory/3296-56-0x0000000074C40000-0x0000000075493000-memory.dmp

memory/3296-57-0x0000000074C40000-0x0000000075493000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240426-en

Max time kernel

128s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手浏览器.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1300-0-0x0000000000400000-0x000000000049B000-memory.dmp

memory/1300-1-0x0000000000400000-0x000000000049B000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

105s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 4300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 4300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 4300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\WebBrowser2.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\乐刷助手(淘宝小号管理,拍单助手) 2.1.9" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\ZCB.dll"

Network

N/A

Files

memory/2348-0-0x0000000074750000-0x0000000074FA3000-memory.dmp

memory/2348-1-0x0000000074750000-0x0000000074FA3000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1632 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\const.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 220 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 220 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\eAPI.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Registration.bat C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR\ = "c:\\ZCB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\ = "ZCBLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID\ = "{FDADFBD5-B162-42D3-AC79-21C88F8888BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\ProgID\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.1\ = "ZCBPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register\CurVer\ = "REGCOM.Register.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ = "IZCBPlug" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\TypeLib\ = "{683F46C1-F0E9-4F67-BBEA-DFC687E5E3EB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\VersionIndependentProgID\ = "REGCOM.Register" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FDADFBD5-B162-42D3-AC79-21C88F8888BE}\InprocServer32\ = "c:\\ZCB\\ZCB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29921148-DB03-4235-A1EE-307D1056AF5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe

"C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\乐刷助手.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Registration.bat""

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 c:\ZCB\ZCB.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4768-19-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-46-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-45-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-31-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-29-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-25-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-21-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-15-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-9-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-7-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-4-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-3-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-13-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-11-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-5-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4768-0-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files\Registration.bat

MD5 d68915023640e63dac11b6c7a1dfa07b
SHA1 afac4d14e71d4474739455d71b197034edeef58a
SHA256 cb9f09b410fc1af8441fa70d4360f723afc3fbf3e2e23c413c43e5e25ef82937
SHA512 59a4a21c5c2a34c32267cb9bdb8536dd4122953727f85fe76bad7964f07108ee6d41e19523b310f190ddf2854324d48a3b57ad3b08ec4fd4926a0290370d8a01

\??\c:\ZCB\ZCB.dll

MD5 679820559727944c864d3bdd4768a43f
SHA1 1fdbf2bc3e3b3134a7c6ffe4274651a872a829e5
SHA256 920c57348a1a1925c7ade23f27eba93eb84827c39381306423a02cbb79a4dfa6
SHA512 40db0fe36df37859d1a78da477ba9967cae93dccaf2caa07bd895c4a73bab019b71038569e3b17cb9b09350b79fe2199fc6bbba23a79ff4017072965b94b3e38

memory/3684-54-0x0000000074D00000-0x0000000075553000-memory.dmp

memory/3684-55-0x0000000074D00000-0x0000000075553000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\dp1.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-14 06:49

Reported

2024-05-14 06:52

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\乐刷助手(淘宝小号管理,拍单助手) 2.1.9\iext2.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A