Malware Analysis Report

2025-03-15 05:56

Sample ID 240514-mkkvzscd54
Target c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics
SHA256 f402560019eb33dea9ced1593c0cb5d2f6fff974d4e43db8ba551b33b78c8fe8
Tags
vmprotect persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f402560019eb33dea9ced1593c0cb5d2f6fff974d4e43db8ba551b33b78c8fe8

Threat Level: Shows suspicious behavior

The file c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect persistence

Loads dropped DLL

VMProtect packed file

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 10:31

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

169s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SHOW_COMMAND_LINE_KEYS.bat"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SHOW_COMMAND_LINE_KEYS.bat"

C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe

AmlMaple.exe /?

C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe

:pidAM412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.201.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.201.250.142.in-addr.arpa udp

Files

memory/412-0-0x0000000000400000-0x0000000000512000-memory.dmp

memory/412-1-0x0000000000400000-0x0000000000512000-memory.dmp

memory/412-3-0x0000000000400000-0x0000000000512000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 4520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 4520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 4520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AmlMaple.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AmlMaple.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AmlMaple.dll,#1

Network

N/A

Files

memory/2132-1-0x0000000010000000-0x000000001000A000-memory.dmp

memory/2132-2-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2132-0-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_By.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_By.chm

Network

N/A

Files

memory/1944-25-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 248

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 1088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3444 wrote to memory of 1088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3444 wrote to memory of 1088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240220-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AM_Exit.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AM_Exit.exe

"C:\Users\Admin\AppData\Local\Temp\AM_Exit.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240221-en

Max time kernel

122s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aml Maple = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AmlMaple.exe /autoload" C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe

"C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe"

C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe

:pidAM1736

Network

N/A

Files

memory/1736-2-0x0000000000400000-0x0000000000512000-memory.dmp

memory/1736-0-0x0000000000400000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 d7abc41566d5ce97c104a3d8426c8d86
SHA1 a2cac5939fefdbd53084d6601ad5422518ae06de
SHA256 ff35f70cf92627322c14a2ecfaf72a3ef264b4dff7fa6929c099111d7f978ca8
SHA512 e5e86a9f3f35fba7ba186795852e4bc4e7bce52e641a0dadaf9a189b1dda433bcda15a80edf8a9dce227921beb968be39e61e1a415333997356bb422f2dfcbe0

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 639b220f6a60015cd6d28210e4d7f133
SHA1 d28e5b3bc0d8512d290979eabdf9dc6fc603cbed
SHA256 16f8d1d72af05a2bb9d6b570643c9562e65c97283c30dda2af5d397008327140
SHA512 159f065bf36ca5fdbc6272ddbb93afba496db067248a0338a1ad9463b56c06beb310d6beb553bc5217961da37ec59a66f4adea623d12cedac402c7a42b5fb2eb

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 f85d78343d5ba2640d85bcacc3d9d2a8
SHA1 156404d231271dcdf993f09b332ae4ca8a579e2d
SHA256 b06b654d5ea2ab0b1e936c298156317da8e60f6fb7a4bb9e743f46d343c516ec
SHA512 a54531cdbeaf7160ac96f5d4a60bfcdbecdff9e5f730f5d726d43d6eb2cad211a04a00e03c4f9772057df432db2a54a68beeffcd1e09ee5db38185ad5202a8d8

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 d97327936bb7c3a0378c8c2a5249be56
SHA1 4b40cef9e11f6cc0c1dc8c745253029df540ae56
SHA256 d4ea4288727c0884203842aaf5f5f650f5793848c50c37cb3459268b862b868a
SHA512 8ebaad8d275a93963048244d578de7d2969960b632b2dc5e3a721b275e39757f71f2b9e3f4824a737c08128b0a33bff1b4a531e98cc60595de134f7737d17ca6

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 bc3f11eec741681ef4cc8e95ac3d28ce
SHA1 957b4b004dc685dfe2c425765cb1b824f7e321a6
SHA256 4783e76bb63b71ef37655d3380da69331c26e873f03ca54ee5466886d1961c42
SHA512 e90a79c68edfb2ae54f2faeafef16d52015a6f9d8731a5cef699bcdb681054b5510b09a302387b426c6407f0fa72a14af95f9f14cb7a7163ee706ab8ef7d42d8

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 995c4487e8ea45e2087565e4f323f618
SHA1 dec8d2c0ff8be1ce0b733f5ee605c91c27e9ea33
SHA256 d3ec52f52b7f359a9405a0bfc672ca6ecef39747bf0f77467b4d344f1157085e
SHA512 b8fb0eb93b812e7099f36aefc89e4374380c9558b38be38e55fa6a199d3f19db35d02d33d3e2f289811536defc6ff1b1c600cbf88b6d1d2dab5db4d660013387

memory/1736-1267-0x0000000000400000-0x0000000000512000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_En.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_En.chm

Network

N/A

Files

memory/2320-23-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 452 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 452 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 452 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GGSoundUtil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GGSoundUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GGSoundUtil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

108s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_Ru.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_Ru.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe

"C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe"

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AmlMaple.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 436 wrote to memory of 1836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 436 wrote to memory of 1836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 436 wrote to memory of 1836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AmlMaple.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AmlMaple.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/1836-0-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aml Maple = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AmlMaple.exe /autoload" C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe

"C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe"

C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe

:pidAM3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x48c 0x4c4

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/3352-0-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3352-1-0x0000000000400000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 5feb248be627a97cb9f01dad66b130ca
SHA1 5d350276c91a21efd178261c704c6121e2bfa4a4
SHA256 5645c07278b2136b11b07fa0ea0534a086c1b391997d3290580c4f76dc493295
SHA512 a850dccd1b9bc9ab8d3f6218fca4fd24b08255e8a0b2b1aafd1d7a820618d8150b00349e6c7e7092656241bad4e5654848975ac36b7c108d1507a62cc4a5a3c8

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 74173d17a25d88e3aa71782f40b94f6d
SHA1 3127c341c50a4d28ed301148dc7895d08243a055
SHA256 b98f8649e767463ad8409b2ce7a5d0c2fee979dbedd46f192681c83b6bbe9ca4
SHA512 378667cd17c891b19ce83c36f7c973723d0cdd2e0b48ab64a96ef91b17d196dd7962bf580c9370bdc6c650a1c20529ba9b06f51173c6fcf9240372d40d433bf1

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 dea05883a90e9372243b8451444a4d7f
SHA1 c6b12ccd0fdde4943f91d2d1c9aa7f640c59add8
SHA256 f4a6891ffecf7378e426e74d3fae7f9a363036126d0e98dc13265877dc5a55ed
SHA512 5a2ec06fd742bd5ad0b38923b3c981519d9af895aabbffbc5ab4d3c308cab48bfb1d4cd9e3dde701f25657c8de9d2686a986cf96600e70ba068cf38af401e94d

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 06c1d34718c1cebc18ac6c0b19b8a86e
SHA1 c956eaab6e676d2cb578eae0973bacdac1bdea9b
SHA256 7ac23dec3cdead9e3335b81a15679b2739a9373720418b392d192a4cf9543b87
SHA512 77f597dc4d697fd5bc7b49e432773a8ac2f81337352ec18ca249380929a8694d90e0754f207dd947401e7573decd94f01bed029ce4ef4ca83e00b8da2c63a406

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 0c87049bbd744a196f859d9dca3d6c57
SHA1 270557445fd35a172f3cbfd1b1f1454301e98f9e
SHA256 fbff147db9844531fdae73fa3588b63afb10e39a91cfccfad666d3cf582f7a13
SHA512 5157e2530aacb006246c59c1a876a48cdbac22415ba7206f78202a6ec8d6b4cbda5d7d1aed8d51a6a6a19fce3aca18925f41000562ea66e5a18e4b61abec7782

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 f819bb06288a650a2ae32d00ec69a2c3
SHA1 951b4eaa2d4d2986d018340c4990961e2d0f2ff7
SHA256 0b6639bffd3b39b6dd807bbb599dc106e1addead7b6f57037d432d72d9ba7200
SHA512 2564caed126fa8bec2ac3546689313a619be62d4fe7072e2dc3fa20ecf1e3b82dc0f1e3eca5a9f622143aec24cb41be85bfc03b037904cbdba2afacad24c7159

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 d6c66dddf549acfa305472840546937a
SHA1 07de4840e7907f81e30e2c463dd5d97c0dd04a96
SHA256 87b74589bef3351030c43f362d5f7f74bc8f78d70795b0a6d82fef4c09d4fa07
SHA512 d294865e0b77c83034e6111d04284b0cfe4838e2754fa049176e86518649561e71c2e4b8577e746beb682e1a95e4806753f060ce59a3c5973b57e7dca7d7dd24

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 658e6e99a45863d9f6161fb7cff7696b
SHA1 84d6f1c9a009b1bee26484ca69eb43bc78621f42
SHA256 db5bc193469729551ef18fe63c4a218cddf398a15bd3bf72d12abcce66ae02eb
SHA512 7df25a72602139addff1bd1c437c1fb9e16cc5fbffee672ddad6579ed168a6cb349e7401979969c8b921f441272c3fd7b7d5e42e328dfedf38a2e5df7db0180b

C:\Users\Admin\AppData\Local\Temp\LocalizationExample.lng

MD5 2d8084ac538af85826a663f4f0eeb14d
SHA1 e85f6b5dcc108c9a8f71b2514c8d41986c283d21
SHA256 2764d6992856a76c1759e3863015d7a5a5299ceb26a30fdf21ba1397031ccefd
SHA512 7be36d344d591b3169f657da641f7e5c9fce161b4c935b5788cd8b6dba5ba1e3c142ec6d55fa31fe582719eea4ff11dbb305bd4276734ebfb14fea4662a625bf

C:\Users\Admin\AppData\Local\Temp\Italian.lng

MD5 5cf1a6a4b00d0b92beab2ae01eb9380b
SHA1 4c24870ed6d5d9f95f64224de3d9547616bbd52f
SHA256 4dce6b35a0305dda50e48a04c8fc870dc8878760d4d9f75e09d713131a04b466
SHA512 8af666b839a8140dccdfa1d4c0d91930d88ac25fcffe1bae97d7089eaa8d11596a0e4889013e796925330584c775a74d74c2f456ea2a3bccf1552ee088da057f

memory/3352-1291-0x0000000000400000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AmlMaple.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\AmlMaple.ini

MD5 85d598b23a68d370a6a4d4e3ca79e51a
SHA1 c834798f3d16c1c38fbb9cdbf991a0e00824b712
SHA256 33ee9af67fd6d39509d9e8b266aa63dd7e49f5cc2feb622f6e7cee1c0da2da14
SHA512 6f31d858ffe46eba2e797e93f12f9dbaa72470c733dca3200730df11ba1d5e503d264062f90bd00f2c970e0cd63e57de960f2a864154c6e5d8cc4030251e4bd5

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20231129-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_UK.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_UK.chm

Network

N/A

Files

memory/1044-19-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss4075.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nss4075.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nss4075.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nss4075.tmp\ioSpecial.ini

MD5 5680a1a12f4c48e1176f17902dc8aa80
SHA1 a080c978a47efcbb3be5ebc769dccd85e079e439
SHA256 30194d6ad3c713a6df641bb0c709be4db0a8c55bbaad1e0ce5ba613479857275
SHA512 62a34ab8be2e03b180563d42ef8c2183a118275292d352d554c439b253abacb0d55f3d305b4afb90eee96546615470965cd1904adc341cbab7d0e569be3ebfd2

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AM_Exit.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AM_Exit.exe

"C:\Users\Admin\AppData\Local\Temp\AM_Exit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.72:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlgCrt.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlgCrt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlgCrt.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 612

Network

Country Destination Domain Proto
NL 23.62.61.120:443 www.bing.com tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 120.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GGSoundUtil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GGSoundUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GGSoundUtil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_En.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_En.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_Ru.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_Ru.chm

Network

N/A

Files

memory/1936-23-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

98s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_UK.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_UK.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20231129-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c2ffaacfbc43f5107a417a72cf80f930_NeikiAnalytics.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsdE44.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nsdE44.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsdE44.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsdE44.tmp\ioSpecial.ini

MD5 593b6e56fcd8d064b09fceeea143f305
SHA1 bf35e5f6d079818c34f5565fe1a12915e44f8309
SHA256 1cc1034173f1cd543dfea406f864593396daa423dba632a397d72bd805900ec9
SHA512 7f8f2f7c680ae7abd79b42bc0b8ce844d08b9c45ee24e94dbbc3386d89f03e3fb8f5c7254d7e91720d882e8f86edf398d2192361849508c957802743ddad1fc2

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe

"C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_By.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Help_By.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.120:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.120:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\SHOW_COMMAND_LINE_KEYS.bat"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\SHOW_COMMAND_LINE_KEYS.bat"

C:\Users\Admin\AppData\Local\Temp\AmlMaple.exe

AmlMaple.exe /?

C:\Users\Admin\AppData\Local\Temp\AM_Restorer.exe

:pidAM2696

Network

N/A

Files

memory/2696-2-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2696-0-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2696-3-0x0000000000400000-0x0000000000512000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4256 -ip 4256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 172.217.20.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 202.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240419-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-14 10:31

Reported

2024-05-14 10:34

Platform

win7-20240220-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlgCrt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlgCrt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlgCrt.dll,#1

Network

N/A

Files

N/A