Malware Analysis Report

2025-01-22 12:22

Sample ID 240518-ywec5ade99
Target 568e06832051047de9bc483d97a25d9e_JaffaCakes118
SHA256 9ffb084ff31dd3dc50a57e39dd8814a472660c458685ddd63f525dd6a16ade08
Tags
aspackv2 upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9ffb084ff31dd3dc50a57e39dd8814a472660c458685ddd63f525dd6a16ade08

Threat Level: Shows suspicious behavior

The file 568e06832051047de9bc483d97a25d9e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 upx

Executes dropped EXE

UPX packed file

ASPack v2.12-2.42

Loads dropped DLL

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 20:07

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WebCtrl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3520 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3520 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WebCtrl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WebCtrl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2240 -ip 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1548 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1548 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 432 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 432 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240508-en

Max time kernel

131s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 c8180586aa753b4d5e214d717c39eb34
SHA1 e7bd1845f8443503e55f477bcd3c03b7fcdf49f4
SHA256 f5040c7856853a5a558f917dcf70303ee9320ed8661fe1544ad32ea73d8127d6
SHA512 25d65c31b2efd72b003ededac1b888a83add3845d773053ffb95e0e995fc11c8fb7d67f91b779117dd42cc9d3473df27381f23992e8b4d7c1e77c82d7c6ca422

\Users\Admin\AppData\Local\Temp\nso15D3.tmp\NSISdl.dll

MD5 33d4a515252e42901fcd3230a749e92f
SHA1 168ccf18807f372d59c954425b23e3ba07b9e32f
SHA256 83817610e28c78c766a183e66d9fa47f1831b702846cae2ec51ba5848c9dbde1
SHA512 fcd40f466403d3243d8a8d2e98aae74f46d5b5e9e254d13485281e86022305a3e8d47c6411175a9f2f90ad8d10aa40614c71329969ef895a20d60688a649adba

\Users\Admin\AppData\Local\Temp\nso15D3.tmp\System.dll

MD5 2b54369538b0fb45e1bb9f49f71ce2db
SHA1 c20df42fda5854329e23826ba8f2015f506f7b92
SHA256 761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f
SHA512 25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 236

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 900 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 900 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1780-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1780-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 1408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 1408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 1408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20231129-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlayGame.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 pic.paopaoche.net udp
CN 82.157.27.9:80 pic.paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
US 8.8.8.8:53 s6.cnzz.com udp
CN 220.185.168.234:80 s6.cnzz.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 cbjs.baidu.com udp
US 8.8.8.8:53 s94.cnzz.com udp
CN 119.188.176.49:80 cbjs.baidu.com tcp
CN 220.185.168.234:80 s94.cnzz.com tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp

Files

memory/2912-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/2912-1-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

\Users\Admin\AppData\Local\Temp\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

C:\Users\Admin\AppData\Local\Temp\rungame.ini

MD5 b684707c26eca1dc684e7760c3aab957
SHA1 595178313f3af65d3d2b6a72b3cc7ea94db245fd
SHA256 9a7c0a7f806aa2808fffcd8b7de9cfd1c162d02b0d3ce1ee0ff71d5bb109ba47
SHA512 7be536b5d30d12171743e64ddef7a5da470860301ee4b4f117042054b33bdf0794ffa8a38f53d678ed33148d3bdf5ffbb5cf313af717dbfac63c28933f5ca1c5

memory/2912-27-0x0000000004E00000-0x0000000004E10000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4022.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb345196abbfa578af42b67fb633b152
SHA1 f55a372e603c7fcde5d29590c9d056e255a4ecdc
SHA256 718405e9d9481ce9f3a98a77ca93971607607a8ad7c08e065239a1a26d662b8c
SHA512 0d3294bc4332209e27167ec99019b47744b7b7c1be59c04c2c76e9c2f28d6cb553bfca346841c783e24551a22d5f19f654c3d787f7bda7800e0fbedcf872d693

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 40a8b306911bb56c0e1f1e40dd3bd65f
SHA1 830e40b4a85c5602dfbb07f36cbcfbf79858fd24
SHA256 44a189dbc831508b0ae27d5b55df601fab4e0c54d31cb6de144e7f068ca802b5
SHA512 7b12e9a4e462f950377fd1023f7002b204ba9bd6509c23ff4c8f723048181d6f48ac7a083f82b502f6b20787e768191dab10c0f2ea68c74bf189e14167174721

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43a8a93d430b4fd5b8a55657dca4346a
SHA1 94de7d3b28f9db3e05b7027d96c22528a4f93125
SHA256 49a580ac298fb1f9c4e28dbe89f6332b8ea0f2e0d0c9b733d3f13fc29fcdbed6
SHA512 8179f2efb601838d68ea5105818474c7ac2c220e6baa8877012426256f23fc2ba7bafc57a93da3b146bf76449c25606e25e890136b784bfe7e7632a8b34c0f26

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDBETRC1\new[1].htm

MD5 4f8e702cc244ec5d4de32740c0ecbd97
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA512 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

memory/2912-133-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDBETRC1\softmain[1].css

MD5 729aa1f32dc5fe22bc67e7d73895c9c5
SHA1 bd90148bf8c4c47c9639826bde9d2341423dfa73
SHA256 c62bf9e3e8def17b145ee84add6b6f62ec972fd3609dc2a4bf175a2c4b9dbb02
SHA512 813a6d68fbe51a01d3f148a298cdcbf83b7404c895349b6dc42204f29b63bf50ff13d0ff43938a75f6b00dcdd6ea40c422cf8464807a722f387a37b9539aa720

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8FW7RUS3\softui[1].js

MD5 b9582f731eda9c4b2d967fc6d0cd3c02
SHA1 bc79c5b327762f3f3cfb0045c5098f26bdf94ef9
SHA256 de223f2810d08af3ef852c54ad26381998ad6a50fe75142eb505ff8f7058ae36
SHA512 f348ea4e0e129a49fd1cb48fe34bf9cabbd2bfea3167a6fa7d0b91e993711bf19df0d158a4d81ce371516d4ebdb7d25de770e3a1fe59b2258245f203ed83e85a

memory/2912-187-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2912-189-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/2912-191-0x0000000000400000-0x0000000000791000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 768 wrote to memory of 4356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 768 wrote to memory of 4356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 768 wrote to memory of 4356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 224

Network

N/A

Files

memory/2272-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2272-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2272-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240220-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1012 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1012 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

132s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4716 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4716 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
NL 23.62.61.97:443 www.bing.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 c8180586aa753b4d5e214d717c39eb34
SHA1 e7bd1845f8443503e55f477bcd3c03b7fcdf49f4
SHA256 f5040c7856853a5a558f917dcf70303ee9320ed8661fe1544ad32ea73d8127d6
SHA512 25d65c31b2efd72b003ededac1b888a83add3845d773053ffb95e0e995fc11c8fb7d67f91b779117dd42cc9d3473df27381f23992e8b4d7c1e77c82d7c6ca422

C:\Users\Admin\AppData\Local\Temp\nsi40D3.tmp\NSISdl.dll

MD5 33d4a515252e42901fcd3230a749e92f
SHA1 168ccf18807f372d59c954425b23e3ba07b9e32f
SHA256 83817610e28c78c766a183e66d9fa47f1831b702846cae2ec51ba5848c9dbde1
SHA512 fcd40f466403d3243d8a8d2e98aae74f46d5b5e9e254d13485281e86022305a3e8d47c6411175a9f2f90ad8d10aa40614c71329969ef895a20d60688a649adba

C:\Users\Admin\AppData\Local\Temp\nsi40D3.tmp\System.dll

MD5 2b54369538b0fb45e1bb9f49f71ce2db
SHA1 c20df42fda5854329e23826ba8f2015f506f7b92
SHA256 761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f
SHA512 25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\waterctrl.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\waterctrl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\waterctrl.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\waterctrl.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1880 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1880 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\waterctrl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\waterctrl.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlayGame.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/3480-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/3480-7-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rungame.ini

MD5 2a9a0e434df1dbc8971efe4987a0a059
SHA1 495db10b80d67b294808d712076a305296768675
SHA256 9636556d5a9843976b59f413ead570d9ee4716f5522928529a4a01e6086c3357
SHA512 8e7b412ed25cac1d2149fb1c89e8ffbf171a1f7638138c39d28023357d2d7524b248d087b76e38fdfd5432a76873d6e235d73553edaadd460d1a254201139f75

C:\Users\Admin\AppData\Local\Temp\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

C:\Users\Admin\AppData\Local\Temp\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

memory/3480-37-0x0000000000400000-0x0000000000791000-memory.dmp

memory/3480-39-0x00000000008A0000-0x00000000008A1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonLinker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonLinker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonLinker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonLinker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonLinker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonLinker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1124 -ip 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 4424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 4424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 4424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 224

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 228

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 248

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\568e06832051047de9bc483d97a25d9e_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\568e06832051047de9bc483d97a25d9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\568e06832051047de9bc483d97a25d9e_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsoB77.tmp\System.dll

MD5 2b54369538b0fb45e1bb9f49f71ce2db
SHA1 c20df42fda5854329e23826ba8f2015f506f7b92
SHA256 761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f
SHA512 25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

\Users\Admin\AppData\Local\Temp\nsoB77.tmp\ButtonLinker.dll

MD5 dd85ac7d85c92dd0e3cc17dfd4890f54
SHA1 a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa
SHA256 27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504
SHA512 e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\568e06832051047de9bc483d97a25d9e_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\568e06832051047de9bc483d97a25d9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\568e06832051047de9bc483d97a25d9e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsm3FB9.tmp\System.dll

MD5 2b54369538b0fb45e1bb9f49f71ce2db
SHA1 c20df42fda5854329e23826ba8f2015f506f7b92
SHA256 761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f
SHA512 25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

C:\Users\Admin\AppData\Local\Temp\nsm3FB9.tmp\ButtonLinker.dll

MD5 dd85ac7d85c92dd0e3cc17dfd4890f54
SHA1 a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa
SHA256 27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504
SHA512 e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 236

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WebCtrl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WebCtrl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WebCtrl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 236

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-18 20:07

Reported

2024-05-18 20:10

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 224

Network

N/A

Files

N/A