Analysis Overview
SHA256
f147e3f89f5289275230c7092638977bf650467751949ceb50f9da48b0fcb0cc
Threat Level: Shows suspicious behavior
The file 544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
UPX packed file
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 10:48
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3248 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | C:\Users\Admin\AppData\Local\Temp\Reporter.exe |
| PID 3248 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | C:\Users\Admin\AppData\Local\Temp\Reporter.exe |
| PID 3248 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | C:\Users\Admin\AppData\Local\Temp\Reporter.exe |
| PID 1640 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe |
| PID 1640 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe |
| PID 1640 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe
"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe"
C:\Users\Admin\AppData\Local\Temp\Reporter.exe
"C:\Users\Admin\AppData\Local\Temp\Reporter.exe"
C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe
"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe" auto
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updata.benchi168.com | udp |
| US | 8.8.8.8:53 | updata.94flash.com | udp |
| US | 8.8.8.8:53 | updata.zb250.com | udp |
| US | 8.8.8.8:53 | uysh14.g1qng.com | udp |
| US | 8.8.8.8:53 | updata.xuhan9.com | udp |
| US | 8.8.8.8:53 | 387eti.39i1f.com | udp |
| US | 8.8.8.8:53 | updata.hongfa123.com | udp |
| US | 8.8.8.8:53 | updata2.yp18.com | udp |
| US | 8.8.8.8:53 | updata1.mx76.com | udp |
| US | 8.8.8.8:53 | updata.27taoke.com | udp |
| US | 8.8.8.8:53 | updata.zb679.com | udp |
| US | 8.8.8.8:53 | 73itpp.2009px.com | udp |
| US | 8.8.8.8:53 | gooqnb.516bn.com | udp |
| DE | 3.64.163.50:80 | updata.zb679.com | tcp |
| US | 8.8.8.8:53 | hhaccs.hc529.com | udp |
| US | 8.8.8.8:53 | 25t7gi.jnc9.com | udp |
| US | 8.8.8.8:53 | h4jdww.cgdmo.com | udp |
| US | 8.8.8.8:53 | f5ujp6.196ba.com | udp |
| US | 8.8.8.8:53 | updata.371ju.com | udp |
| US | 80.251.217.54:80 | updata2.yp18.com | tcp |
| US | 8.8.8.8:53 | updata.7fuke.com | udp |
| US | 8.8.8.8:53 | updata.ga361.com | udp |
| US | 8.8.8.8:53 | 0dw6xw.vwbci.com | udp |
| US | 8.8.8.8:53 | z5re2g.zj029.com | udp |
| US | 8.8.8.8:53 | updata2.mx76.com | udp |
| US | 8.8.8.8:53 | updata1.yp18.com | udp |
| US | 8.8.8.8:53 | 54yau9.ztg5.com | udp |
| US | 8.8.8.8:53 | wh7hta.0ht2u.com | udp |
| US | 8.8.8.8:53 | l98yde.666world.com | udp |
| US | 8.8.8.8:53 | aff32r.so0ye.com | udp |
| US | 8.8.8.8:53 | updata.bali98.com | udp |
| US | 107.167.27.70:80 | updata1.mx76.com | tcp |
| US | 34.160.241.69:5080 | hhaccs.hc529.com | tcp |
| US | 8.8.8.8:53 | updata.jh398.com | udp |
| US | 8.8.8.8:53 | updata.028lr.com | udp |
| US | 8.8.8.8:53 | w1uwpl.ehzqp.com | udp |
| US | 8.8.8.8:53 | updata.xt580.com | udp |
| US | 8.8.8.8:53 | 7m1bqb.cy005.com | udp |
| US | 80.251.217.54:80 | updata1.yp18.com | tcp |
| US | 8.8.8.8:53 | 7d4tuc.bdzlap.com | udp |
| US | 8.8.8.8:53 | 4jmtu5.gl6pe.com | udp |
| US | 8.8.8.8:53 | 3rb3ww.pcx7u.com | udp |
| US | 8.8.8.8:53 | zctdnj.52shagua.com | udp |
| US | 8.8.8.8:53 | updata.lx137.com | udp |
| US | 64.32.14.151:80 | updata2.mx76.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.163.64.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.217.251.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.27.167.107.in-addr.arpa | udp |
| CN | 182.61.201.91:5080 | h4jdww.cgdmo.com | tcp |
| US | 34.205.242.146:5070 | l98yde.666world.com | tcp |
| US | 8.8.8.8:53 | 151.14.32.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.game775.com | udp |
| US | 3.130.204.160:80 | www.game775.com | tcp |
| US | 3.130.204.160:80 | www.game775.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | 160.204.130.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.6.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | static.hugedomains.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 104.26.6.37:443 | static.hugedomains.com | tcp |
| US | 104.26.6.37:443 | static.hugedomains.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | use.typekit.net | udp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | p.typekit.net | udp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3248-2-0x0000000001190000-0x00000000011A8000-memory.dmp
memory/3248-1-0x0000000001170000-0x0000000001182000-memory.dmp
memory/3248-12-0x0000000001330000-0x00000000017C1000-memory.dmp
memory/3248-13-0x0000000001800000-0x0000000001A50000-memory.dmp
memory/3248-17-0x0000000001220000-0x000000000132C000-memory.dmp
memory/3248-16-0x0000000001190000-0x00000000011A8000-memory.dmp
memory/3248-15-0x00000000010A0000-0x00000000011AC000-memory.dmp
memory/3248-14-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/3248-10-0x0000000001220000-0x000000000132C000-memory.dmp
memory/3248-6-0x00000000017D0000-0x00000000017FA000-memory.dmp
memory/3248-5-0x00000000011C0000-0x0000000001216000-memory.dmp
memory/3248-0-0x00000000010A0000-0x0000000001164000-memory.dmp
memory/3248-21-0x00000000010A0000-0x00000000010B8000-memory.dmp
memory/3248-20-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3248-23-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/3248-19-0x0000000010004000-0x0000000010005000-memory.dmp
memory/3248-18-0x0000000001800000-0x000000000190C000-memory.dmp
memory/3248-22-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/3248-3-0x00000000011B0000-0x00000000011C0000-memory.dmp
memory/3248-24-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/1640-25-0x0000000000400000-0x00000000004C8000-memory.dmp
memory/3248-27-0x00000000010A0000-0x00000000010B8000-memory.dmp
memory/3248-31-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3248-30-0x0000000001220000-0x000000000132C000-memory.dmp
memory/3248-29-0x0000000001190000-0x00000000011A8000-memory.dmp
memory/3248-28-0x00000000010A0000-0x0000000001164000-memory.dmp
memory/3248-32-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/1640-37-0x0000000000400000-0x00000000004C8000-memory.dmp
memory/2828-45-0x0000000000F80000-0x000000000108C000-memory.dmp
memory/2828-53-0x0000000001130000-0x0000000001380000-memory.dmp
memory/2828-55-0x0000000000F60000-0x0000000000F78000-memory.dmp
memory/2828-57-0x0000000000D10000-0x0000000000D28000-memory.dmp
memory/2828-56-0x0000000000F80000-0x000000000108C000-memory.dmp
memory/2828-54-0x0000000000E70000-0x0000000000F7C000-memory.dmp
memory/1640-52-0x0000000000400000-0x00000000004C8000-memory.dmp
memory/2828-50-0x0000000001100000-0x000000000112A000-memory.dmp
memory/2828-48-0x00000000010A0000-0x00000000010F6000-memory.dmp
memory/2828-47-0x0000000001090000-0x00000000010A0000-memory.dmp
memory/2828-44-0x0000000000F60000-0x0000000000F78000-memory.dmp
memory/2828-43-0x0000000000F40000-0x0000000000F52000-memory.dmp
memory/2828-40-0x0000000000E70000-0x0000000000F34000-memory.dmp
memory/2828-38-0x0000000000D10000-0x0000000000D5D000-memory.dmp
memory/2828-58-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2828-60-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2828-59-0x0000000000400000-0x0000000000AEC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\jquery.fancybox.min[1].css
| MD5 | a2d42584292f64c5827e8b67b1b38726 |
| SHA1 | 1be9b79be02a1cfc5d96c4a5e0feb8f472babd95 |
| SHA256 | 5736e3eec0c34bfc288854b7b8d2a8f1e22e9e2e7dae3c8d1ad5dfb2d4734ad0 |
| SHA512 | 1fd8eb6628a8a5476c2e983de00df7dc47ee9a0501a4ef4c75bc52b5d7884e8f8a10831a35f1cdbf0ca38c325bf8444f6914ba0e9c9194a6ef3d46ac348b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\reboot.min[1].css
| MD5 | 51b8b71098eeed2c55a4534e48579a16 |
| SHA1 | 2ec1922d2bfaf67bf3ffabe43a11e3bf481dc5d7 |
| SHA256 | bd78e3bcc569d029e7c709144e4038dede4d92a143e77bc46e4f15913769758b |
| SHA512 | 2597223e603e095bf405998aacd8585f85e66de8d992a9078951dd85f462217305e215b4828188bf7840368d8116ed8fb5d95f3bfab00240b4a8ddab71ac760d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\style[1].css
| MD5 | 65760e3b3b198746b7e73e4de28efea1 |
| SHA1 | 1d1a2cce09b28cffc89378b0a60cbb1aa8a08c4f |
| SHA256 | 10e40ea3a2ad69c08d13e194cf13eb4a28a093c939758a17a6a775ef603ac4fc |
| SHA512 | fbcb91f26b7bd874d6a6a3b1d4d6f7277ded091cdae5706c285b4d5d17446a1bf58572c224af38393ce49b310a51d5c5d60711c7094e5d32abbaaf10d1107e1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\css[1].css
| MD5 | 6974448e2b156c62fee2afbbeaec29ad |
| SHA1 | b028e5a50d4c25a14bdb039e568780ab21c5c639 |
| SHA256 | 659ef5d62418310dde9221fa0cc7bdfb8c54a1e7f94aaaa15aad37eb2473c30c |
| SHA512 | b1f3f0346774cf21b1ffbeef5291989fae4d6a4a11de2cf4305dc8d58b23d7aad1ad2560d55609b81229eae3da728b9094a8d8580a5c90f96039e29e9a6dbf47 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\zyw6mds[2].css
| MD5 | a5bb75d5bd1b19def25c1dd4f3d4e09c |
| SHA1 | d0c1457e8f357c964b9d4b6c0788e89717fe651f |
| SHA256 | ff0689879c72300a01eae0c05c3205e2ca57c4bc1a6bfa0718fa6fea4a51627e |
| SHA512 | b9fc57f7ade8f34cb02ece2935acb30757ed846e4bcf81d3fcf5bfcb45611d386bd337a6337e9945c5654cf044dce4dd3fafd60a2b42ed5bdc857ef96d077a69 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\p[1].css
| MD5 | 83d24d4b43cc7eef2b61e66c95f3d158 |
| SHA1 | f0cafc285ee23bb6c28c5166f305493c4331c84d |
| SHA256 | 1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb |
| SHA512 | e6e84563d3a55767f8e5f36c4e217a0768120d6e15ce4d01aa63d36af7ec8d20b600ce96dcc56de91ec7e55e83a8267baddd68b61447069b82abdb2e92c6acb6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\js[2].js
| MD5 | d46035451fac88918b55fd4222c7b2b4 |
| SHA1 | 55e2d202563a67c23ee9b76490ad84e008ced48e |
| SHA256 | 003b8444faf57da3714936e950b142cf11433365675932312f788884968bfc49 |
| SHA512 | 7fd109674e1a0fecfc92e19b346ce34803a0a2138a2d8d286099ac8645f5752c74cf4bcc6d8268b26d68069d99d434416d534ebdd95a0ab2f0ff53e73db0050f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\api[1].js
| MD5 | 561d29df58f07a34702334aa1582b1f9 |
| SHA1 | 307111fab5dc4167730b840b6f9cc67eaeec2aec |
| SHA256 | 6000c59ffc2927848c4f9479344dac73f72d0efe3c6b9fb2b2184dd075e9795a |
| SHA512 | c37deb541ef263809da00d76894d366824da1f237a49360bc08d9e846a0bfdbdbbc7bdc1d500df8c5be2a1ee63553ea6474031ab37c93ba1d7058545e3aeaa41 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\responsive[1].css
| MD5 | 4998fe22f90eacce5aa2ec3b3b37bd81 |
| SHA1 | f871e53836d5049ef2dafa26c3e20acab38a9155 |
| SHA256 | 93fcbfca018780a8af6e48a2c4cd6f7ad314730440236c787d581e2cef1ab8f8 |
| SHA512 | 822158dac2694341f6cf5c8f14f017ac877c00143194d3cd0a67ffd4d97f9bf8f2305e33b99fa12f62eee53ba18029541c0601ea5496ff50279d1200cfa03232 |
memory/2828-170-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2828-172-0x0000000000E70000-0x0000000000F7C000-memory.dmp
memory/2828-174-0x0000000000F80000-0x000000000108C000-memory.dmp
memory/2828-173-0x0000000000F60000-0x0000000000F78000-memory.dmp
memory/2828-175-0x0000000000D10000-0x0000000000D28000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 280
Network
Files
memory/2824-0-0x0000000000190000-0x00000000001A2000-memory.dmp
memory/2824-1-0x0000000000200000-0x0000000000256000-memory.dmp
memory/2824-3-0x00000000021B0000-0x0000000002400000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 232
Network
Files
memory/2212-0-0x0000000000940000-0x0000000000996000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4340 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4340 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4340 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 732
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.195:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1400-1-0x00000000022C0000-0x0000000002316000-memory.dmp
memory/1400-0-0x0000000002240000-0x0000000002252000-memory.dmp
memory/1400-3-0x0000000002320000-0x0000000002570000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2036 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2036 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2436 -ip 2436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 888
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/2436-3-0x00000000026C0000-0x000000000270D000-memory.dmp
memory/2436-16-0x00000000026C0000-0x00000000027CC000-memory.dmp
memory/2436-19-0x0000000002E60000-0x0000000002EA1000-memory.dmp
memory/2436-20-0x0000000002ED0000-0x0000000003120000-memory.dmp
memory/2436-18-0x0000000000E70000-0x0000000000E88000-memory.dmp
memory/2436-17-0x0000000002820000-0x000000000292C000-memory.dmp
memory/2436-11-0x0000000002990000-0x0000000002E21000-memory.dmp
memory/2436-13-0x0000000002E30000-0x0000000002E5A000-memory.dmp
memory/2436-8-0x0000000002820000-0x000000000292C000-memory.dmp
memory/2436-9-0x0000000002930000-0x0000000002986000-memory.dmp
memory/2436-22-0x00000000026C0000-0x000000000270D000-memory.dmp
memory/2436-21-0x00000000026C4000-0x00000000026C5000-memory.dmp
memory/2436-7-0x0000000002810000-0x0000000002820000-memory.dmp
memory/2436-6-0x0000000000E70000-0x0000000000E88000-memory.dmp
memory/2436-2-0x0000000002710000-0x00000000027D4000-memory.dmp
memory/2436-1-0x0000000000C50000-0x0000000000C62000-memory.dmp
memory/2436-0-0x0000000000C50000-0x0000000000C68000-memory.dmp
memory/2436-23-0x0000000000C50000-0x0000000000C62000-memory.dmp
memory/2436-24-0x0000000000E70000-0x0000000000E88000-memory.dmp
memory/2436-25-0x0000000002820000-0x000000000292C000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240508-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reporter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe
"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe"
C:\Users\Admin\AppData\Local\Temp\Reporter.exe
"C:\Users\Admin\AppData\Local\Temp\Reporter.exe"
C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe
"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe" auto
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vufwpo.666world.com | udp |
| US | 8.8.8.8:53 | 5ucpw7.g1qng.com | udp |
| US | 8.8.8.8:53 | updata.xuhan9.com | udp |
| US | 8.8.8.8:53 | updata.94flash.com | udp |
| US | 8.8.8.8:53 | wsuk6z.52shagua.com | udp |
| US | 8.8.8.8:53 | 0fkrx8.0ht2u.com | udp |
| US | 8.8.8.8:53 | suho82.ztg5.com | udp |
| US | 8.8.8.8:53 | elsx14.hc529.com | udp |
| US | 8.8.8.8:53 | djb41c.cy005.com | udp |
| US | 8.8.8.8:53 | 4emq7t.ehzqp.com | udp |
| US | 8.8.8.8:53 | updata.xt580.com | udp |
| US | 8.8.8.8:53 | wuzj9r.so0ye.com | udp |
| US | 8.8.8.8:53 | ls6cwc.39i1f.com | udp |
| US | 8.8.8.8:53 | updata.benchi168.com | udp |
| US | 8.8.8.8:53 | updata.028lr.com | udp |
| US | 8.8.8.8:53 | oyehz8.2009px.com | udp |
| US | 8.8.8.8:53 | updata.hongfa123.com | udp |
| US | 8.8.8.8:53 | updata2.yp18.com | udp |
| US | 8.8.8.8:53 | updata1.mx76.com | udp |
| US | 8.8.8.8:53 | updata.371ju.com | udp |
| US | 8.8.8.8:53 | t15c8d.zj029.com | udp |
| US | 8.8.8.8:53 | updata1.yp18.com | udp |
| US | 8.8.8.8:53 | 42s4z7.516bn.com | udp |
| US | 8.8.8.8:53 | updata.27taoke.com | udp |
| US | 8.8.8.8:53 | updata.7fuke.com | udp |
| US | 8.8.8.8:53 | nkorkm.bdzlap.com | udp |
| US | 8.8.8.8:53 | wf7a5v.cgdmo.com | udp |
| US | 8.8.8.8:53 | updata2.mx76.com | udp |
| US | 8.8.8.8:53 | updata.lx137.com | udp |
| US | 8.8.8.8:53 | pbyzh1.pcx7u.com | udp |
| US | 8.8.8.8:53 | updata.zb679.com | udp |
| US | 8.8.8.8:53 | updata.zb250.com | udp |
| US | 8.8.8.8:53 | updata.ga361.com | udp |
| US | 8.8.8.8:53 | 02knxm.196ba.com | udp |
| US | 8.8.8.8:53 | updata.bali98.com | udp |
| US | 8.8.8.8:53 | fin3jm.jnc9.com | udp |
| US | 8.8.8.8:53 | 6gqw3l.gl6pe.com | udp |
| US | 8.8.8.8:53 | ht027c.vwbci.com | udp |
| US | 8.8.8.8:53 | updata.jh398.com | udp |
| DE | 3.64.163.50:80 | updata.zb679.com | tcp |
| US | 80.251.217.54:80 | updata1.yp18.com | tcp |
| US | 80.251.217.54:80 | updata1.yp18.com | tcp |
| US | 34.160.241.69:5080 | elsx14.hc529.com | tcp |
| US | 104.160.169.197:80 | updata2.mx76.com | tcp |
| US | 107.167.27.70:80 | updata1.mx76.com | tcp |
| CN | 182.61.201.90:5080 | wf7a5v.cgdmo.com | tcp |
| US | 3.94.41.167:5070 | vufwpo.666world.com | tcp |
| US | 8.8.8.8:53 | www.game775.com | udp |
| US | 54.209.32.212:80 | www.game775.com | tcp |
| US | 54.209.32.212:80 | www.game775.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | static.hugedomains.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 104.26.7.37:443 | static.hugedomains.com | tcp |
| US | 104.26.7.37:443 | static.hugedomains.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | use.typekit.net | udp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | p.typekit.net | udp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
Files
memory/2368-1-0x00000000001C0000-0x00000000001D2000-memory.dmp
memory/2368-0-0x0000000000020000-0x0000000000038000-memory.dmp
memory/2368-4-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2368-2-0x00000000002A0000-0x00000000002F6000-memory.dmp
memory/2368-5-0x0000000000B60000-0x0000000000C6C000-memory.dmp
memory/2368-6-0x0000000000020000-0x0000000000038000-memory.dmp
memory/2368-8-0x0000000000C70000-0x0000000000CBD000-memory.dmp
memory/2368-10-0x00000000001E0000-0x00000000001F0000-memory.dmp
memory/2368-11-0x0000000000CC0000-0x0000000000D84000-memory.dmp
memory/2368-13-0x0000000000D90000-0x0000000000DBA000-memory.dmp
memory/2368-15-0x0000000000DC0000-0x0000000001010000-memory.dmp
memory/2368-16-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2368-17-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2368-19-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2368-20-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2368-25-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2708-26-0x0000000000400000-0x00000000004C8000-memory.dmp
memory/2368-24-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/2368-23-0x0000000000B60000-0x0000000000C6C000-memory.dmp
memory/2368-22-0x0000000000020000-0x0000000000038000-memory.dmp
memory/2708-31-0x0000000000400000-0x00000000004C8000-memory.dmp
memory/2708-33-0x0000000000400000-0x00000000004C8000-memory.dmp
memory/568-43-0x0000000000250000-0x0000000000260000-memory.dmp
memory/568-41-0x0000000000340000-0x000000000038D000-memory.dmp
memory/568-39-0x0000000000C90000-0x0000000000D9C000-memory.dmp
memory/568-50-0x0000000000020000-0x0000000000038000-memory.dmp
memory/568-51-0x0000000000C90000-0x0000000000D9C000-memory.dmp
memory/568-49-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/568-48-0x0000000000E70000-0x00000000010C0000-memory.dmp
memory/568-46-0x00000000003A0000-0x00000000003CA000-memory.dmp
memory/568-44-0x0000000000DA0000-0x0000000000E64000-memory.dmp
memory/2708-38-0x0000000005370000-0x0000000005A5C000-memory.dmp
memory/568-36-0x00000000002E0000-0x0000000000336000-memory.dmp
memory/568-35-0x0000000000230000-0x0000000000242000-memory.dmp
memory/568-52-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/568-54-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/568-53-0x0000000000400000-0x0000000000AEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7BF5.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar7BF8.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96ef9361b5fe0bd8c006fd2ee25597f4 |
| SHA1 | 2d73cd6bd6ad6abc58a6872444f72e7e939aff79 |
| SHA256 | 9047f762f274eccb660a7dfd6f8f4f19b7e3cbce1a0e13127c70f6f5f5c57641 |
| SHA512 | eb9c068fc9c0bc4f10bb834425556d1b0c2298d464c9e594d3b370e903b8504469b7cd8c04921b477106e5400cc9813c0cd6c5025cd7e00e66eed0268d731c8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd3cfd848b6155137e60d3a1ed67a428 |
| SHA1 | 9a484258163b0f06356e85cc03caae9a00664464 |
| SHA256 | e4e118be86a009f1c79f99669d50060fcfddf128e02fa58a72f1c6a840b7b7e7 |
| SHA512 | cd5110344c387264a29024b6125fe2d7e91a51e5fc8382fd46d84decf07b568a34a32eec31fa7801b560b32c234eead9f495c3607cf868dcebf1fc52fbed537d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 867808037f7f913654519e7242d3705e |
| SHA1 | a4a1a87bb80957918ad39719c01b10cfa2476330 |
| SHA256 | 177263567c817f5a6f30aa36d3b9784f404681e62209789d9921a61f0f28724c |
| SHA512 | 9f6f4e1433349d3e226cc7fb6688e247ec73e34dbd96ebf4767f3da52869c621d769d45eb069671584dda29ee6256dc0a26b6b28ad0ae0a65fb6d17a867abd5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5414b23942ccdf0531ccdacf37b6ca45 |
| SHA1 | 10d838fd634272112ef58550431f5e21d0839558 |
| SHA256 | d33e4b633f6060141bf5b057df5f2bdc886392164eb04a8489b7b576905f8ae5 |
| SHA512 | 37d06f4c62025af16e5b628b6f5ff4f0f56595c3a20eebe561c52058a1dbdb7140ddec1b7a230b3f243c7a7736a193d56dd95b25f30182c583db86ca3bf9b142 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a7c680cc97055dc6dd47c19f9f1812d4 |
| SHA1 | 4fdacd3e164d942208318f9ccbeac23af9bb4aa8 |
| SHA256 | ee41a2ca05321be64fa88426f6588a6b1307fcd3bc7d0f1459d253a27bf11a40 |
| SHA512 | 7741834cc13058068a12585afa3ed76bbe7efc778d4b2fbe7cac2adf852e47ee0e543880f54206e6c7c85950f4211b8d132eee8cb3f294e11e3f308992d62e5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 847a85d6f770e7104d0e3ddbe15397a4 |
| SHA1 | 6c3e6d1e61bcee1aaf904152ca3fea78c3d5bb45 |
| SHA256 | e753305c161e524cd90ddf2992a410f26a91deb5be05bdcb3d571f7c022f5d72 |
| SHA512 | 375e33f5cd83e96cc4771503cbf2794b55351b625016c1cdd99b08aa3a3a9c6c1104a8108f3fecd6549789f2a9c1e392b8c9014e3be1ed0d00ae62c732a11ade |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ec082191ef507ee356c8ec974970380 |
| SHA1 | 2aed6a0c2fedbf9efdd13bbeaa3dcf63981405cb |
| SHA256 | 6841fa4f1444ba5d2cb857043a57fd7e230e914d44306f8e21d61219ade9ad16 |
| SHA512 | a789f9855de2dca229bbd445e030e3d64123c7f6619d19b2ab6113e27351e13eb021bb4443eafde6adcfa204ad77893e0edb6ae46239bb21e093a1c7ffeb99ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | 08881fc1fdd2b1c1fb0bd13f28fcc9df |
| SHA1 | 2a1e38f495a2004302f9fe247e3fa7dfef2986f6 |
| SHA256 | 19e236d2ad2e19d20729562f382f5f8c523b2cb3bed2127bc56686f5044c3c5a |
| SHA512 | 7561f8493f4fec2a240ae66f6942f394082f1cb91aef2c7ed4ed9eb8af76b338ad2237e3c58e8955e6c380b1078c41e4a1e56afdacfab8754b332335dc834d79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f250bd4b6954ad73fc53f3e8715689da |
| SHA1 | df1d598528f55e1eff0c46e91bce090b55aeb7d5 |
| SHA256 | 220d6e0386cdc9cefb4fd289cca130d7951fa040a2b1030048db6bdbf5023a13 |
| SHA512 | 3ebb9913ed6ce508386acf84f5404a55abb244782db38fdd684042698a5ff5358ba3ca4c87005f9a618c8d8b303a340bbc99b092073e9e397314fc69f41db8a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11b52904c45c6c202485ed7cb59ebad6 |
| SHA1 | dd162b1c0351c875b6629da8fe6352d49256a749 |
| SHA256 | 1d0a648b5cb644ff907ead74664507716475e51cd6e8293f5ecc1599b91913fb |
| SHA512 | 80a51f2e98593bb35d6e8ba598ba30ac3425de3a32cde69d5e05bcce7cc921be173ebaa7ee4528df2f97587493e7813c7607cabad4c4e80d44df88a36bcf4bd4 |
memory/568-725-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/568-970-0x0000000000020000-0x0000000000038000-memory.dmp
memory/568-980-0x0000000000C90000-0x0000000000D9C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
103s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nse50C2.tmp\nsDialogs.dll
| MD5 | 5b5a2742161b7e1abaabac285380e97d |
| SHA1 | 89e0fc319ec58f0b963fe00da23c271792ab027b |
| SHA256 | ea700632792f04c995b92fb729c687ee9cf8ff87ed9f786c454ab1dae2b6d3a1 |
| SHA512 | 6fafc35f426651f8dd475edcbe66ccd75dc74d2b74c9532c80a15c6d1901d2a77685bff197377202c8fae641064562aafa3985de279b68beaaba853214534cae |
C:\Users\Admin\AppData\Local\Temp\nse50C2.tmp\System.dll
| MD5 | ee98c1c5cb7a32248c9245d6eaaca651 |
| SHA1 | e9c69fe615217a4e1158a1fb015b48b25602aa13 |
| SHA256 | cdc62858888490db547c66bae1ba19d2c60d0e2175f01226c31919088761b5b9 |
| SHA512 | 9871c034f7c384e3075e757d838cf0b6ad2e27296662531e2bbc3a39e9d83741cc5d7df919736365fa20574b4b75d025d9e4f5f79d9fee1e6351089ece8feb4b |
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
130s
Max time network
103s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4056 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4056 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4056 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240419-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 312
Network
Files
memory/3000-0-0x0000000000180000-0x0000000000198000-memory.dmp
memory/3000-1-0x00000000001F0000-0x0000000000202000-memory.dmp
memory/3000-2-0x0000000000210000-0x0000000000266000-memory.dmp
memory/3000-4-0x0000000000790000-0x000000000089C000-memory.dmp
memory/3000-6-0x00000000002F0000-0x000000000033D000-memory.dmp
memory/3000-8-0x00000000001A0000-0x00000000001B0000-memory.dmp
memory/3000-9-0x0000000000180000-0x0000000000198000-memory.dmp
memory/3000-10-0x0000000000790000-0x000000000089C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3388 wrote to memory of 208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3388 wrote to memory of 208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3388 wrote to memory of 208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240220-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 2436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 3196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2684 wrote to memory of 3196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2684 wrote to memory of 3196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 736
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/3196-2-0x0000000000950000-0x0000000000962000-memory.dmp
memory/3196-0-0x00000000024F0000-0x00000000025F2000-memory.dmp
memory/3196-1-0x0000000002600000-0x0000000002850000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3952 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3952 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3952 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.99:443 | www.bing.com | tcp |
| BE | 88.221.83.195:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4068 wrote to memory of 3920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4068 wrote to memory of 3920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4068 wrote to memory of 3920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 3920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 88.221.83.195:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
129s
Max time network
100s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5756 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5756 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5756 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2428 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240508-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240419-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 364
Network
Files
memory/3024-0-0x0000000001F80000-0x0000000002411000-memory.dmp
memory/3024-3-0x00000000001C0000-0x00000000001D8000-memory.dmp
memory/3024-4-0x0000000000200000-0x0000000000212000-memory.dmp
memory/3024-5-0x0000000000290000-0x00000000002E6000-memory.dmp
memory/3024-7-0x0000000000420000-0x000000000052C000-memory.dmp
memory/3024-9-0x0000000000310000-0x000000000035D000-memory.dmp
memory/3024-11-0x00000000001E0000-0x00000000001F0000-memory.dmp
memory/3024-12-0x0000000002420000-0x00000000024E4000-memory.dmp
memory/3024-14-0x00000000024F0000-0x0000000002531000-memory.dmp
memory/3024-15-0x0000000002540000-0x000000000256A000-memory.dmp
memory/3024-17-0x0000000002570000-0x00000000027C0000-memory.dmp
memory/3024-18-0x00000000001C0000-0x00000000001D8000-memory.dmp
memory/3024-19-0x0000000000420000-0x000000000052C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsy92B0.tmp\nsDialogs.dll
| MD5 | 5b5a2742161b7e1abaabac285380e97d |
| SHA1 | 89e0fc319ec58f0b963fe00da23c271792ab027b |
| SHA256 | ea700632792f04c995b92fb729c687ee9cf8ff87ed9f786c454ab1dae2b6d3a1 |
| SHA512 | 6fafc35f426651f8dd475edcbe66ccd75dc74d2b74c9532c80a15c6d1901d2a77685bff197377202c8fae641064562aafa3985de279b68beaaba853214534cae |
\Users\Admin\AppData\Local\Temp\nsy92B0.tmp\System.dll
| MD5 | ee98c1c5cb7a32248c9245d6eaaca651 |
| SHA1 | e9c69fe615217a4e1158a1fb015b48b25602aa13 |
| SHA256 | cdc62858888490db547c66bae1ba19d2c60d0e2175f01226c31919088761b5b9 |
| SHA512 | 9871c034f7c384e3075e757d838cf0b6ad2e27296662531e2bbc3a39e9d83741cc5d7df919736365fa20574b4b75d025d9e4f5f79d9fee1e6351089ece8feb4b |
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 224
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
107s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 4312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 4312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1044 wrote to memory of 4312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4312 -ip 4312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/4312-4-0x0000000002610000-0x000000000271C000-memory.dmp
memory/4312-11-0x0000000002720000-0x0000000002738000-memory.dmp
memory/4312-10-0x0000000002750000-0x0000000002768000-memory.dmp
memory/4312-8-0x0000000002750000-0x0000000002768000-memory.dmp
memory/4312-7-0x0000000002730000-0x0000000002742000-memory.dmp
memory/4312-6-0x00000000024A0000-0x00000000025AC000-memory.dmp
memory/4312-3-0x0000000002500000-0x0000000002602000-memory.dmp
memory/4312-9-0x0000000002610000-0x000000000271C000-memory.dmp
memory/4312-1-0x00000000024B0000-0x00000000024FD000-memory.dmp
memory/4312-0-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/4312-13-0x00000000024B0000-0x00000000024FD000-memory.dmp
memory/4312-12-0x00000000024B4000-0x00000000024B5000-memory.dmp
memory/4312-14-0x0000000002720000-0x000000000272A000-memory.dmp
memory/4312-16-0x0000000002750000-0x0000000002768000-memory.dmp
memory/4312-15-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/4312-17-0x0000000002610000-0x000000000271C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 244
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1004 wrote to memory of 884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1004 wrote to memory of 884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1004 wrote to memory of 884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 792
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/884-0-0x0000000000C00000-0x0000000000C18000-memory.dmp
memory/884-1-0x0000000002570000-0x000000000267C000-memory.dmp
memory/884-3-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
memory/884-8-0x0000000000C80000-0x0000000000C92000-memory.dmp
memory/884-6-0x0000000000C20000-0x0000000000C6D000-memory.dmp
memory/884-11-0x0000000002570000-0x000000000267C000-memory.dmp
memory/884-10-0x0000000000C00000-0x0000000000C18000-memory.dmp
memory/884-4-0x0000000002570000-0x000000000267C000-memory.dmp
memory/884-2-0x0000000000C00000-0x0000000000C18000-memory.dmp
memory/884-9-0x0000000002680000-0x0000000002782000-memory.dmp
memory/884-12-0x0000000000C24000-0x0000000000C25000-memory.dmp
memory/884-13-0x0000000000C20000-0x0000000000C6D000-memory.dmp
memory/884-15-0x0000000002570000-0x000000000267C000-memory.dmp
memory/884-14-0x0000000000C00000-0x0000000000C18000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
139s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 1124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 856 wrote to memory of 1124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 856 wrote to memory of 1124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.195:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.195:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240508-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4992 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4992 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4992 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/2096-0-0x0000000002DC0000-0x0000000002EC2000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 280
Network
Files
memory/1880-0-0x00000000001A0000-0x00000000001F6000-memory.dmp
memory/1880-2-0x0000000001FD0000-0x0000000002220000-memory.dmp
memory/1880-3-0x0000000000150000-0x0000000000162000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win7-20240221-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 296
Network
Files
memory/2476-0-0x00000000001E0000-0x000000000022D000-memory.dmp
memory/2476-2-0x0000000000120000-0x0000000000130000-memory.dmp
memory/2476-3-0x0000000000290000-0x00000000002E6000-memory.dmp
memory/2476-5-0x0000000001D80000-0x0000000001E8C000-memory.dmp
memory/2476-7-0x0000000001D80000-0x0000000001E8C000-memory.dmp
memory/2476-8-0x0000000000230000-0x0000000000242000-memory.dmp
memory/2476-9-0x0000000000250000-0x0000000000268000-memory.dmp
memory/2476-10-0x0000000000250000-0x0000000000268000-memory.dmp
memory/2476-11-0x0000000001D80000-0x0000000001E8C000-memory.dmp
memory/2476-12-0x0000000000250000-0x0000000000268000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2856 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2856 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2856 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 2976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-18 10:48
Reported
2024-05-18 10:51
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
103s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 1384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2948 wrote to memory of 1384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2948 wrote to memory of 1384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| BE | 2.17.107.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |