Malware Analysis Report

2025-01-22 12:29

Sample ID 240518-mv7gqsfg75
Target 544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118
SHA256 f147e3f89f5289275230c7092638977bf650467751949ceb50f9da48b0fcb0cc
Tags
upx aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f147e3f89f5289275230c7092638977bf650467751949ceb50f9da48b0fcb0cc

Threat Level: Shows suspicious behavior

The file 544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx aspackv2

ASPack v2.12-2.42

UPX packed file

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 10:48

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\Reporter.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe

"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe"

C:\Users\Admin\AppData\Local\Temp\Reporter.exe

"C:\Users\Admin\AppData\Local\Temp\Reporter.exe"

C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe

"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe" auto

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 updata.benchi168.com udp
US 8.8.8.8:53 updata.94flash.com udp
US 8.8.8.8:53 updata.zb250.com udp
US 8.8.8.8:53 uysh14.g1qng.com udp
US 8.8.8.8:53 updata.xuhan9.com udp
US 8.8.8.8:53 387eti.39i1f.com udp
US 8.8.8.8:53 updata.hongfa123.com udp
US 8.8.8.8:53 updata2.yp18.com udp
US 8.8.8.8:53 updata1.mx76.com udp
US 8.8.8.8:53 updata.27taoke.com udp
US 8.8.8.8:53 updata.zb679.com udp
US 8.8.8.8:53 73itpp.2009px.com udp
US 8.8.8.8:53 gooqnb.516bn.com udp
DE 3.64.163.50:80 updata.zb679.com tcp
US 8.8.8.8:53 hhaccs.hc529.com udp
US 8.8.8.8:53 25t7gi.jnc9.com udp
US 8.8.8.8:53 h4jdww.cgdmo.com udp
US 8.8.8.8:53 f5ujp6.196ba.com udp
US 8.8.8.8:53 updata.371ju.com udp
US 80.251.217.54:80 updata2.yp18.com tcp
US 8.8.8.8:53 updata.7fuke.com udp
US 8.8.8.8:53 updata.ga361.com udp
US 8.8.8.8:53 0dw6xw.vwbci.com udp
US 8.8.8.8:53 z5re2g.zj029.com udp
US 8.8.8.8:53 updata2.mx76.com udp
US 8.8.8.8:53 updata1.yp18.com udp
US 8.8.8.8:53 54yau9.ztg5.com udp
US 8.8.8.8:53 wh7hta.0ht2u.com udp
US 8.8.8.8:53 l98yde.666world.com udp
US 8.8.8.8:53 aff32r.so0ye.com udp
US 8.8.8.8:53 updata.bali98.com udp
US 107.167.27.70:80 updata1.mx76.com tcp
US 34.160.241.69:5080 hhaccs.hc529.com tcp
US 8.8.8.8:53 updata.jh398.com udp
US 8.8.8.8:53 updata.028lr.com udp
US 8.8.8.8:53 w1uwpl.ehzqp.com udp
US 8.8.8.8:53 updata.xt580.com udp
US 8.8.8.8:53 7m1bqb.cy005.com udp
US 80.251.217.54:80 updata1.yp18.com tcp
US 8.8.8.8:53 7d4tuc.bdzlap.com udp
US 8.8.8.8:53 4jmtu5.gl6pe.com udp
US 8.8.8.8:53 3rb3ww.pcx7u.com udp
US 8.8.8.8:53 zctdnj.52shagua.com udp
US 8.8.8.8:53 updata.lx137.com udp
US 64.32.14.151:80 updata2.mx76.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.163.64.3.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.217.251.80.in-addr.arpa udp
US 8.8.8.8:53 70.27.167.107.in-addr.arpa udp
CN 182.61.201.91:5080 h4jdww.cgdmo.com tcp
US 34.205.242.146:5070 l98yde.666world.com tcp
US 8.8.8.8:53 151.14.32.64.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www.game775.com udp
US 3.130.204.160:80 www.game775.com tcp
US 3.130.204.160:80 www.game775.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 160.204.130.3.in-addr.arpa udp
US 8.8.8.8:53 37.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 static.hugedomains.com udp
US 8.8.8.8:53 www.google.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 104.26.6.37:443 static.hugedomains.com tcp
US 104.26.6.37:443 static.hugedomains.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 use.typekit.net udp
SE 184.31.15.40:443 use.typekit.net tcp
SE 184.31.15.40:443 use.typekit.net tcp
US 8.8.8.8:53 p.typekit.net udp
SE 184.31.15.48:443 p.typekit.net tcp
SE 184.31.15.48:443 p.typekit.net tcp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 48.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3248-2-0x0000000001190000-0x00000000011A8000-memory.dmp

memory/3248-1-0x0000000001170000-0x0000000001182000-memory.dmp

memory/3248-12-0x0000000001330000-0x00000000017C1000-memory.dmp

memory/3248-13-0x0000000001800000-0x0000000001A50000-memory.dmp

memory/3248-17-0x0000000001220000-0x000000000132C000-memory.dmp

memory/3248-16-0x0000000001190000-0x00000000011A8000-memory.dmp

memory/3248-15-0x00000000010A0000-0x00000000011AC000-memory.dmp

memory/3248-14-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/3248-10-0x0000000001220000-0x000000000132C000-memory.dmp

memory/3248-6-0x00000000017D0000-0x00000000017FA000-memory.dmp

memory/3248-5-0x00000000011C0000-0x0000000001216000-memory.dmp

memory/3248-0-0x00000000010A0000-0x0000000001164000-memory.dmp

memory/3248-21-0x00000000010A0000-0x00000000010B8000-memory.dmp

memory/3248-20-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3248-23-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/3248-19-0x0000000010004000-0x0000000010005000-memory.dmp

memory/3248-18-0x0000000001800000-0x000000000190C000-memory.dmp

memory/3248-22-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/3248-3-0x00000000011B0000-0x00000000011C0000-memory.dmp

memory/3248-24-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/1640-25-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/3248-27-0x00000000010A0000-0x00000000010B8000-memory.dmp

memory/3248-31-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3248-30-0x0000000001220000-0x000000000132C000-memory.dmp

memory/3248-29-0x0000000001190000-0x00000000011A8000-memory.dmp

memory/3248-28-0x00000000010A0000-0x0000000001164000-memory.dmp

memory/3248-32-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/1640-37-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/2828-45-0x0000000000F80000-0x000000000108C000-memory.dmp

memory/2828-53-0x0000000001130000-0x0000000001380000-memory.dmp

memory/2828-55-0x0000000000F60000-0x0000000000F78000-memory.dmp

memory/2828-57-0x0000000000D10000-0x0000000000D28000-memory.dmp

memory/2828-56-0x0000000000F80000-0x000000000108C000-memory.dmp

memory/2828-54-0x0000000000E70000-0x0000000000F7C000-memory.dmp

memory/1640-52-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/2828-50-0x0000000001100000-0x000000000112A000-memory.dmp

memory/2828-48-0x00000000010A0000-0x00000000010F6000-memory.dmp

memory/2828-47-0x0000000001090000-0x00000000010A0000-memory.dmp

memory/2828-44-0x0000000000F60000-0x0000000000F78000-memory.dmp

memory/2828-43-0x0000000000F40000-0x0000000000F52000-memory.dmp

memory/2828-40-0x0000000000E70000-0x0000000000F34000-memory.dmp

memory/2828-38-0x0000000000D10000-0x0000000000D5D000-memory.dmp

memory/2828-58-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2828-60-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2828-59-0x0000000000400000-0x0000000000AEC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\jquery.fancybox.min[1].css

MD5 a2d42584292f64c5827e8b67b1b38726
SHA1 1be9b79be02a1cfc5d96c4a5e0feb8f472babd95
SHA256 5736e3eec0c34bfc288854b7b8d2a8f1e22e9e2e7dae3c8d1ad5dfb2d4734ad0
SHA512 1fd8eb6628a8a5476c2e983de00df7dc47ee9a0501a4ef4c75bc52b5d7884e8f8a10831a35f1cdbf0ca38c325bf8444f6914ba0e9c9194a6ef3d46ac348b51cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\reboot.min[1].css

MD5 51b8b71098eeed2c55a4534e48579a16
SHA1 2ec1922d2bfaf67bf3ffabe43a11e3bf481dc5d7
SHA256 bd78e3bcc569d029e7c709144e4038dede4d92a143e77bc46e4f15913769758b
SHA512 2597223e603e095bf405998aacd8585f85e66de8d992a9078951dd85f462217305e215b4828188bf7840368d8116ed8fb5d95f3bfab00240b4a8ddab71ac760d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\style[1].css

MD5 65760e3b3b198746b7e73e4de28efea1
SHA1 1d1a2cce09b28cffc89378b0a60cbb1aa8a08c4f
SHA256 10e40ea3a2ad69c08d13e194cf13eb4a28a093c939758a17a6a775ef603ac4fc
SHA512 fbcb91f26b7bd874d6a6a3b1d4d6f7277ded091cdae5706c285b4d5d17446a1bf58572c224af38393ce49b310a51d5c5d60711c7094e5d32abbaaf10d1107e1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\css[1].css

MD5 6974448e2b156c62fee2afbbeaec29ad
SHA1 b028e5a50d4c25a14bdb039e568780ab21c5c639
SHA256 659ef5d62418310dde9221fa0cc7bdfb8c54a1e7f94aaaa15aad37eb2473c30c
SHA512 b1f3f0346774cf21b1ffbeef5291989fae4d6a4a11de2cf4305dc8d58b23d7aad1ad2560d55609b81229eae3da728b9094a8d8580a5c90f96039e29e9a6dbf47

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\zyw6mds[2].css

MD5 a5bb75d5bd1b19def25c1dd4f3d4e09c
SHA1 d0c1457e8f357c964b9d4b6c0788e89717fe651f
SHA256 ff0689879c72300a01eae0c05c3205e2ca57c4bc1a6bfa0718fa6fea4a51627e
SHA512 b9fc57f7ade8f34cb02ece2935acb30757ed846e4bcf81d3fcf5bfcb45611d386bd337a6337e9945c5654cf044dce4dd3fafd60a2b42ed5bdc857ef96d077a69

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\p[1].css

MD5 83d24d4b43cc7eef2b61e66c95f3d158
SHA1 f0cafc285ee23bb6c28c5166f305493c4331c84d
SHA256 1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb
SHA512 e6e84563d3a55767f8e5f36c4e217a0768120d6e15ce4d01aa63d36af7ec8d20b600ce96dcc56de91ec7e55e83a8267baddd68b61447069b82abdb2e92c6acb6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\js[2].js

MD5 d46035451fac88918b55fd4222c7b2b4
SHA1 55e2d202563a67c23ee9b76490ad84e008ced48e
SHA256 003b8444faf57da3714936e950b142cf11433365675932312f788884968bfc49
SHA512 7fd109674e1a0fecfc92e19b346ce34803a0a2138a2d8d286099ac8645f5752c74cf4bcc6d8268b26d68069d99d434416d534ebdd95a0ab2f0ff53e73db0050f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\api[1].js

MD5 561d29df58f07a34702334aa1582b1f9
SHA1 307111fab5dc4167730b840b6f9cc67eaeec2aec
SHA256 6000c59ffc2927848c4f9479344dac73f72d0efe3c6b9fb2b2184dd075e9795a
SHA512 c37deb541ef263809da00d76894d366824da1f237a49360bc08d9e846a0bfdbdbbc7bdc1d500df8c5be2a1ee63553ea6474031ab37c93ba1d7058545e3aeaa41

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\responsive[1].css

MD5 4998fe22f90eacce5aa2ec3b3b37bd81
SHA1 f871e53836d5049ef2dafa26c3e20acab38a9155
SHA256 93fcbfca018780a8af6e48a2c4cd6f7ad314730440236c787d581e2cef1ab8f8
SHA512 822158dac2694341f6cf5c8f14f017ac877c00143194d3cd0a67ffd4d97f9bf8f2305e33b99fa12f62eee53ba18029541c0601ea5496ff50279d1200cfa03232

memory/2828-170-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2828-172-0x0000000000E70000-0x0000000000F7C000-memory.dmp

memory/2828-174-0x0000000000F80000-0x000000000108C000-memory.dmp

memory/2828-173-0x0000000000F60000-0x0000000000F78000-memory.dmp

memory/2828-175-0x0000000000D10000-0x0000000000D28000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 280

Network

N/A

Files

memory/2824-0-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/2824-1-0x0000000000200000-0x0000000000256000-memory.dmp

memory/2824-3-0x00000000021B0000-0x0000000002400000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 232

Network

N/A

Files

memory/2212-0-0x0000000000940000-0x0000000000996000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4340 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4340 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DEngine.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 732

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 195.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1400-1-0x00000000022C0000-0x0000000002316000-memory.dmp

memory/1400-0-0x0000000002240000-0x0000000002252000-memory.dmp

memory/1400-3-0x0000000002320000-0x0000000002570000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2436 -ip 2436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 888

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2436-3-0x00000000026C0000-0x000000000270D000-memory.dmp

memory/2436-16-0x00000000026C0000-0x00000000027CC000-memory.dmp

memory/2436-19-0x0000000002E60000-0x0000000002EA1000-memory.dmp

memory/2436-20-0x0000000002ED0000-0x0000000003120000-memory.dmp

memory/2436-18-0x0000000000E70000-0x0000000000E88000-memory.dmp

memory/2436-17-0x0000000002820000-0x000000000292C000-memory.dmp

memory/2436-11-0x0000000002990000-0x0000000002E21000-memory.dmp

memory/2436-13-0x0000000002E30000-0x0000000002E5A000-memory.dmp

memory/2436-8-0x0000000002820000-0x000000000292C000-memory.dmp

memory/2436-9-0x0000000002930000-0x0000000002986000-memory.dmp

memory/2436-22-0x00000000026C0000-0x000000000270D000-memory.dmp

memory/2436-21-0x00000000026C4000-0x00000000026C5000-memory.dmp

memory/2436-7-0x0000000002810000-0x0000000002820000-memory.dmp

memory/2436-6-0x0000000000E70000-0x0000000000E88000-memory.dmp

memory/2436-2-0x0000000002710000-0x00000000027D4000-memory.dmp

memory/2436-1-0x0000000000C50000-0x0000000000C62000-memory.dmp

memory/2436-0-0x0000000000C50000-0x0000000000C68000-memory.dmp

memory/2436-23-0x0000000000C50000-0x0000000000C62000-memory.dmp

memory/2436-24-0x0000000000E70000-0x0000000000E88000-memory.dmp

memory/2436-25-0x0000000002820000-0x000000000292C000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240508-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reporter.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\Reporter.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe

"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe"

C:\Users\Admin\AppData\Local\Temp\Reporter.exe

"C:\Users\Admin\AppData\Local\Temp\Reporter.exe"

C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe

"C:\Users\Admin\AppData\Local\Temp\GamePlaza.exe" auto

Network

Country Destination Domain Proto
US 8.8.8.8:53 vufwpo.666world.com udp
US 8.8.8.8:53 5ucpw7.g1qng.com udp
US 8.8.8.8:53 updata.xuhan9.com udp
US 8.8.8.8:53 updata.94flash.com udp
US 8.8.8.8:53 wsuk6z.52shagua.com udp
US 8.8.8.8:53 0fkrx8.0ht2u.com udp
US 8.8.8.8:53 suho82.ztg5.com udp
US 8.8.8.8:53 elsx14.hc529.com udp
US 8.8.8.8:53 djb41c.cy005.com udp
US 8.8.8.8:53 4emq7t.ehzqp.com udp
US 8.8.8.8:53 updata.xt580.com udp
US 8.8.8.8:53 wuzj9r.so0ye.com udp
US 8.8.8.8:53 ls6cwc.39i1f.com udp
US 8.8.8.8:53 updata.benchi168.com udp
US 8.8.8.8:53 updata.028lr.com udp
US 8.8.8.8:53 oyehz8.2009px.com udp
US 8.8.8.8:53 updata.hongfa123.com udp
US 8.8.8.8:53 updata2.yp18.com udp
US 8.8.8.8:53 updata1.mx76.com udp
US 8.8.8.8:53 updata.371ju.com udp
US 8.8.8.8:53 t15c8d.zj029.com udp
US 8.8.8.8:53 updata1.yp18.com udp
US 8.8.8.8:53 42s4z7.516bn.com udp
US 8.8.8.8:53 updata.27taoke.com udp
US 8.8.8.8:53 updata.7fuke.com udp
US 8.8.8.8:53 nkorkm.bdzlap.com udp
US 8.8.8.8:53 wf7a5v.cgdmo.com udp
US 8.8.8.8:53 updata2.mx76.com udp
US 8.8.8.8:53 updata.lx137.com udp
US 8.8.8.8:53 pbyzh1.pcx7u.com udp
US 8.8.8.8:53 updata.zb679.com udp
US 8.8.8.8:53 updata.zb250.com udp
US 8.8.8.8:53 updata.ga361.com udp
US 8.8.8.8:53 02knxm.196ba.com udp
US 8.8.8.8:53 updata.bali98.com udp
US 8.8.8.8:53 fin3jm.jnc9.com udp
US 8.8.8.8:53 6gqw3l.gl6pe.com udp
US 8.8.8.8:53 ht027c.vwbci.com udp
US 8.8.8.8:53 updata.jh398.com udp
DE 3.64.163.50:80 updata.zb679.com tcp
US 80.251.217.54:80 updata1.yp18.com tcp
US 80.251.217.54:80 updata1.yp18.com tcp
US 34.160.241.69:5080 elsx14.hc529.com tcp
US 104.160.169.197:80 updata2.mx76.com tcp
US 107.167.27.70:80 updata1.mx76.com tcp
CN 182.61.201.90:5080 wf7a5v.cgdmo.com tcp
US 3.94.41.167:5070 vufwpo.666world.com tcp
US 8.8.8.8:53 www.game775.com udp
US 54.209.32.212:80 www.game775.com tcp
US 54.209.32.212:80 www.game775.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 104.26.6.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 static.hugedomains.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 www.google.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 104.26.7.37:443 static.hugedomains.com tcp
US 104.26.7.37:443 static.hugedomains.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 use.typekit.net udp
SE 184.31.15.40:443 use.typekit.net tcp
SE 184.31.15.40:443 use.typekit.net tcp
SE 184.31.15.40:443 use.typekit.net tcp
US 8.8.8.8:53 p.typekit.net udp
SE 184.31.15.48:443 p.typekit.net tcp
SE 184.31.15.48:443 p.typekit.net tcp
SE 184.31.15.48:443 p.typekit.net tcp

Files

memory/2368-1-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2368-0-0x0000000000020000-0x0000000000038000-memory.dmp

memory/2368-4-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2368-2-0x00000000002A0000-0x00000000002F6000-memory.dmp

memory/2368-5-0x0000000000B60000-0x0000000000C6C000-memory.dmp

memory/2368-6-0x0000000000020000-0x0000000000038000-memory.dmp

memory/2368-8-0x0000000000C70000-0x0000000000CBD000-memory.dmp

memory/2368-10-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/2368-11-0x0000000000CC0000-0x0000000000D84000-memory.dmp

memory/2368-13-0x0000000000D90000-0x0000000000DBA000-memory.dmp

memory/2368-15-0x0000000000DC0000-0x0000000001010000-memory.dmp

memory/2368-16-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2368-17-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2368-19-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2368-20-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2368-25-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2708-26-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/2368-24-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/2368-23-0x0000000000B60000-0x0000000000C6C000-memory.dmp

memory/2368-22-0x0000000000020000-0x0000000000038000-memory.dmp

memory/2708-31-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/2708-33-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/568-43-0x0000000000250000-0x0000000000260000-memory.dmp

memory/568-41-0x0000000000340000-0x000000000038D000-memory.dmp

memory/568-39-0x0000000000C90000-0x0000000000D9C000-memory.dmp

memory/568-50-0x0000000000020000-0x0000000000038000-memory.dmp

memory/568-51-0x0000000000C90000-0x0000000000D9C000-memory.dmp

memory/568-49-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/568-48-0x0000000000E70000-0x00000000010C0000-memory.dmp

memory/568-46-0x00000000003A0000-0x00000000003CA000-memory.dmp

memory/568-44-0x0000000000DA0000-0x0000000000E64000-memory.dmp

memory/2708-38-0x0000000005370000-0x0000000005A5C000-memory.dmp

memory/568-36-0x00000000002E0000-0x0000000000336000-memory.dmp

memory/568-35-0x0000000000230000-0x0000000000242000-memory.dmp

memory/568-52-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/568-54-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/568-53-0x0000000000400000-0x0000000000AEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7BF5.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar7BF8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96ef9361b5fe0bd8c006fd2ee25597f4
SHA1 2d73cd6bd6ad6abc58a6872444f72e7e939aff79
SHA256 9047f762f274eccb660a7dfd6f8f4f19b7e3cbce1a0e13127c70f6f5f5c57641
SHA512 eb9c068fc9c0bc4f10bb834425556d1b0c2298d464c9e594d3b370e903b8504469b7cd8c04921b477106e5400cc9813c0cd6c5025cd7e00e66eed0268d731c8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd3cfd848b6155137e60d3a1ed67a428
SHA1 9a484258163b0f06356e85cc03caae9a00664464
SHA256 e4e118be86a009f1c79f99669d50060fcfddf128e02fa58a72f1c6a840b7b7e7
SHA512 cd5110344c387264a29024b6125fe2d7e91a51e5fc8382fd46d84decf07b568a34a32eec31fa7801b560b32c234eead9f495c3607cf868dcebf1fc52fbed537d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 867808037f7f913654519e7242d3705e
SHA1 a4a1a87bb80957918ad39719c01b10cfa2476330
SHA256 177263567c817f5a6f30aa36d3b9784f404681e62209789d9921a61f0f28724c
SHA512 9f6f4e1433349d3e226cc7fb6688e247ec73e34dbd96ebf4767f3da52869c621d769d45eb069671584dda29ee6256dc0a26b6b28ad0ae0a65fb6d17a867abd5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5414b23942ccdf0531ccdacf37b6ca45
SHA1 10d838fd634272112ef58550431f5e21d0839558
SHA256 d33e4b633f6060141bf5b057df5f2bdc886392164eb04a8489b7b576905f8ae5
SHA512 37d06f4c62025af16e5b628b6f5ff4f0f56595c3a20eebe561c52058a1dbdb7140ddec1b7a230b3f243c7a7736a193d56dd95b25f30182c583db86ca3bf9b142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7c680cc97055dc6dd47c19f9f1812d4
SHA1 4fdacd3e164d942208318f9ccbeac23af9bb4aa8
SHA256 ee41a2ca05321be64fa88426f6588a6b1307fcd3bc7d0f1459d253a27bf11a40
SHA512 7741834cc13058068a12585afa3ed76bbe7efc778d4b2fbe7cac2adf852e47ee0e543880f54206e6c7c85950f4211b8d132eee8cb3f294e11e3f308992d62e5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 847a85d6f770e7104d0e3ddbe15397a4
SHA1 6c3e6d1e61bcee1aaf904152ca3fea78c3d5bb45
SHA256 e753305c161e524cd90ddf2992a410f26a91deb5be05bdcb3d571f7c022f5d72
SHA512 375e33f5cd83e96cc4771503cbf2794b55351b625016c1cdd99b08aa3a3a9c6c1104a8108f3fecd6549789f2a9c1e392b8c9014e3be1ed0d00ae62c732a11ade

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ec082191ef507ee356c8ec974970380
SHA1 2aed6a0c2fedbf9efdd13bbeaa3dcf63981405cb
SHA256 6841fa4f1444ba5d2cb857043a57fd7e230e914d44306f8e21d61219ade9ad16
SHA512 a789f9855de2dca229bbd445e030e3d64123c7f6619d19b2ab6113e27351e13eb021bb4443eafde6adcfa204ad77893e0edb6ae46239bb21e093a1c7ffeb99ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 08881fc1fdd2b1c1fb0bd13f28fcc9df
SHA1 2a1e38f495a2004302f9fe247e3fa7dfef2986f6
SHA256 19e236d2ad2e19d20729562f382f5f8c523b2cb3bed2127bc56686f5044c3c5a
SHA512 7561f8493f4fec2a240ae66f6942f394082f1cb91aef2c7ed4ed9eb8af76b338ad2237e3c58e8955e6c380b1078c41e4a1e56afdacfab8754b332335dc834d79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f250bd4b6954ad73fc53f3e8715689da
SHA1 df1d598528f55e1eff0c46e91bce090b55aeb7d5
SHA256 220d6e0386cdc9cefb4fd289cca130d7951fa040a2b1030048db6bdbf5023a13
SHA512 3ebb9913ed6ce508386acf84f5404a55abb244782db38fdd684042698a5ff5358ba3ca4c87005f9a618c8d8b303a340bbc99b092073e9e397314fc69f41db8a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11b52904c45c6c202485ed7cb59ebad6
SHA1 dd162b1c0351c875b6629da8fe6352d49256a749
SHA256 1d0a648b5cb644ff907ead74664507716475e51cd6e8293f5ecc1599b91913fb
SHA512 80a51f2e98593bb35d6e8ba598ba30ac3425de3a32cde69d5e05bcce7cc921be173ebaa7ee4528df2f97587493e7813c7607cabad4c4e80d44df88a36bcf4bd4

memory/568-725-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/568-970-0x0000000000020000-0x0000000000038000-memory.dmp

memory/568-980-0x0000000000C90000-0x0000000000D9C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.248:443 www.bing.com tcp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse50C2.tmp\nsDialogs.dll

MD5 5b5a2742161b7e1abaabac285380e97d
SHA1 89e0fc319ec58f0b963fe00da23c271792ab027b
SHA256 ea700632792f04c995b92fb729c687ee9cf8ff87ed9f786c454ab1dae2b6d3a1
SHA512 6fafc35f426651f8dd475edcbe66ccd75dc74d2b74c9532c80a15c6d1901d2a77685bff197377202c8fae641064562aafa3985de279b68beaaba853214534cae

C:\Users\Admin\AppData\Local\Temp\nse50C2.tmp\System.dll

MD5 ee98c1c5cb7a32248c9245d6eaaca651
SHA1 e9c69fe615217a4e1158a1fb015b48b25602aa13
SHA256 cdc62858888490db547c66bae1ba19d2c60d0e2175f01226c31919088761b5b9
SHA512 9871c034f7c384e3075e757d838cf0b6ad2e27296662531e2bbc3a39e9d83741cc5d7df919736365fa20574b4b75d025d9e4f5f79d9fee1e6351089ece8feb4b

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 3956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4056 wrote to memory of 3956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4056 wrote to memory of 3956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
BE 88.221.83.211:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240419-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 312

Network

N/A

Files

memory/3000-0-0x0000000000180000-0x0000000000198000-memory.dmp

memory/3000-1-0x00000000001F0000-0x0000000000202000-memory.dmp

memory/3000-2-0x0000000000210000-0x0000000000266000-memory.dmp

memory/3000-4-0x0000000000790000-0x000000000089C000-memory.dmp

memory/3000-6-0x00000000002F0000-0x000000000033D000-memory.dmp

memory/3000-8-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/3000-9-0x0000000000180000-0x0000000000198000-memory.dmp

memory/3000-10-0x0000000000790000-0x000000000089C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 3196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2684 wrote to memory of 3196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2684 wrote to memory of 3196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 736

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/3196-2-0x0000000000950000-0x0000000000962000-memory.dmp

memory/3196-0-0x00000000024F0000-0x00000000025F2000-memory.dmp

memory/3196-1-0x0000000002600000-0x0000000002850000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 2432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3952 wrote to memory of 2432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3952 wrote to memory of 2432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 99.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 195.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 3920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 3920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 3920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 195.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5756 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5756 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5756 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2DEngine.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240419-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameFrame.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 364

Network

N/A

Files

memory/3024-0-0x0000000001F80000-0x0000000002411000-memory.dmp

memory/3024-3-0x00000000001C0000-0x00000000001D8000-memory.dmp

memory/3024-4-0x0000000000200000-0x0000000000212000-memory.dmp

memory/3024-5-0x0000000000290000-0x00000000002E6000-memory.dmp

memory/3024-7-0x0000000000420000-0x000000000052C000-memory.dmp

memory/3024-9-0x0000000000310000-0x000000000035D000-memory.dmp

memory/3024-11-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/3024-12-0x0000000002420000-0x00000000024E4000-memory.dmp

memory/3024-14-0x00000000024F0000-0x0000000002531000-memory.dmp

memory/3024-15-0x0000000002540000-0x000000000256A000-memory.dmp

memory/3024-17-0x0000000002570000-0x00000000027C0000-memory.dmp

memory/3024-18-0x00000000001C0000-0x00000000001D8000-memory.dmp

memory/3024-19-0x0000000000420000-0x000000000052C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\544d3ad7cb88ad68a51ad7ca408b7d44_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy92B0.tmp\nsDialogs.dll

MD5 5b5a2742161b7e1abaabac285380e97d
SHA1 89e0fc319ec58f0b963fe00da23c271792ab027b
SHA256 ea700632792f04c995b92fb729c687ee9cf8ff87ed9f786c454ab1dae2b6d3a1
SHA512 6fafc35f426651f8dd475edcbe66ccd75dc74d2b74c9532c80a15c6d1901d2a77685bff197377202c8fae641064562aafa3985de279b68beaaba853214534cae

\Users\Admin\AppData\Local\Temp\nsy92B0.tmp\System.dll

MD5 ee98c1c5cb7a32248c9245d6eaaca651
SHA1 e9c69fe615217a4e1158a1fb015b48b25602aa13
SHA256 cdc62858888490db547c66bae1ba19d2c60d0e2175f01226c31919088761b5b9
SHA512 9871c034f7c384e3075e757d838cf0b6ad2e27296662531e2bbc3a39e9d83741cc5d7df919736365fa20574b4b75d025d9e4f5f79d9fee1e6351089ece8feb4b

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRAnyChatCore.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_40.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 224

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 4312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 4312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 4312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4312 -ip 4312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 772

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/4312-4-0x0000000002610000-0x000000000271C000-memory.dmp

memory/4312-11-0x0000000002720000-0x0000000002738000-memory.dmp

memory/4312-10-0x0000000002750000-0x0000000002768000-memory.dmp

memory/4312-8-0x0000000002750000-0x0000000002768000-memory.dmp

memory/4312-7-0x0000000002730000-0x0000000002742000-memory.dmp

memory/4312-6-0x00000000024A0000-0x00000000025AC000-memory.dmp

memory/4312-3-0x0000000002500000-0x0000000002602000-memory.dmp

memory/4312-9-0x0000000002610000-0x000000000271C000-memory.dmp

memory/4312-1-0x00000000024B0000-0x00000000024FD000-memory.dmp

memory/4312-0-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/4312-13-0x00000000024B0000-0x00000000024FD000-memory.dmp

memory/4312-12-0x00000000024B4000-0x00000000024B5000-memory.dmp

memory/4312-14-0x0000000002720000-0x000000000272A000-memory.dmp

memory/4312-16-0x0000000002750000-0x0000000002768000-memory.dmp

memory/4312-15-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/4312-17-0x0000000002610000-0x000000000271C000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 244

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvatarControl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 884 -ip 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 792

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.218:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 218.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/884-0-0x0000000000C00000-0x0000000000C18000-memory.dmp

memory/884-1-0x0000000002570000-0x000000000267C000-memory.dmp

memory/884-3-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/884-8-0x0000000000C80000-0x0000000000C92000-memory.dmp

memory/884-6-0x0000000000C20000-0x0000000000C6D000-memory.dmp

memory/884-11-0x0000000002570000-0x000000000267C000-memory.dmp

memory/884-10-0x0000000000C00000-0x0000000000C18000-memory.dmp

memory/884-4-0x0000000002570000-0x000000000267C000-memory.dmp

memory/884-2-0x0000000000C00000-0x0000000000C18000-memory.dmp

memory/884-9-0x0000000002680000-0x0000000002782000-memory.dmp

memory/884-12-0x0000000000C24000-0x0000000000C25000-memory.dmp

memory/884-13-0x0000000000C20000-0x0000000000C6D000-memory.dmp

memory/884-15-0x0000000002570000-0x000000000267C000-memory.dmp

memory/884-14-0x0000000000C00000-0x0000000000C18000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 856 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 856 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3DX9_42.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 195.83.221.88.in-addr.arpa udp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D3dx9d_41.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4992 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4992 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DownLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 2096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/2096-0-0x0000000002DC0000-0x0000000002EC2000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameEngine.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 280

Network

N/A

Files

memory/1880-0-0x00000000001A0000-0x00000000001F6000-memory.dmp

memory/1880-2-0x0000000001FD0000-0x0000000002220000-memory.dmp

memory/1880-3-0x0000000000150000-0x0000000000162000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameProperty.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 296

Network

N/A

Files

memory/2476-0-0x00000000001E0000-0x000000000022D000-memory.dmp

memory/2476-2-0x0000000000120000-0x0000000000130000-memory.dmp

memory/2476-3-0x0000000000290000-0x00000000002E6000-memory.dmp

memory/2476-5-0x0000000001D80000-0x0000000001E8C000-memory.dmp

memory/2476-7-0x0000000001D80000-0x0000000001E8C000-memory.dmp

memory/2476-8-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2476-9-0x0000000000250000-0x0000000000268000-memory.dmp

memory/2476-10-0x0000000000250000-0x0000000000268000-memory.dmp

memory/2476-11-0x0000000001D80000-0x0000000001E8C000-memory.dmp

memory/2476-12-0x0000000000250000-0x0000000000268000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 2976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
BE 2.17.107.104:443 www.bing.com tcp
US 8.8.8.8:53 104.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-18 10:48

Reported

2024-05-18 10:51

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 1384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 1384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 1384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\D2DEngine.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.107.17.2.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A