Analysis Overview
SHA256
d0da063e0dad6f9b92888f7aaa95887474fedbb786a2c9dff7d72fc81caf18ff
Threat Level: Known bad
The file 672fe68501129c0ba60eec0d6bcddfc0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Detect Blackmoon payload
Blackmoon, KrBanker
Loads dropped DLL
VMProtect packed file
Executes dropped EXE
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 11:58
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:52
Platform
win10v2004-20240426-en
Max time kernel
131s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 3344 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 2456 wrote to memory of 3344 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\插件注册失败打开.bat"
C:\Windows\system32\regsvr32.exe
regsvr32 "C:\windows\yg.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:51
Platform
win7-20240508-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\YG.dll | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\VersionIndependentProgID\ = "REGCOM.Register.Api" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\ = "ZCB_APILib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api\ = "ZCBApiPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\TypeLib\ = "{D7111ECF-2415-46C6-AAD4-EE6802448456}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api.1\CLSID\ = "{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api.1\ = "ZCBApiPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REGCOM.Register.Api\CurVer\ = "REGCOM.Register.Api.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib\ = "{D7111ECF-2415-46C6-AAD4-EE6802448456}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\ = "ZCBApiPlug Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32\ = "C:\\windows\\YG.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\HELPDIR\ = "C:\\windows" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ = "IZCBApiPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ = "IZCBApiPlug" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib\ = "{D7111ECF-2415-46C6-AAD4-EE6802448456}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\0\win32\ = "C:\\windows\\YG.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\ProgID\ = "REGCOM.Register.Api.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe
"C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\windows\YG.dll" /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | b.qzone.qq.com | udp |
| HK | 203.205.254.103:80 | b.qzone.qq.com | tcp |
| HK | 203.205.254.103:80 | b.qzone.qq.com | tcp |
| HK | 203.205.254.103:443 | b.qzone.qq.com | tcp |
| HK | 203.205.254.103:443 | b.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| US | 163.181.154.241:80 | ocsp.digicert.cn | tcp |
Files
memory/2256-0-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-1-0x0000000000401000-0x00000000004F3000-memory.dmp
memory/2256-2-0x0000000077910000-0x0000000077911000-memory.dmp
memory/2256-4-0x0000000077910000-0x0000000077911000-memory.dmp
memory/2256-8-0x0000000075360000-0x0000000075361000-memory.dmp
memory/2256-10-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-12-0x0000000010000000-0x0000000010014000-memory.dmp
memory/2256-58-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-56-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-54-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-52-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-50-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-48-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-46-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-44-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-42-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-40-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-38-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-36-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-34-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-32-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-30-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-28-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-26-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-24-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-22-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-20-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-18-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-17-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-16-0x0000000000310000-0x000000000034F000-memory.dmp
memory/2256-59-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-60-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-61-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-62-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-63-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-64-0x0000000005810000-0x0000000005855000-memory.dmp
memory/2256-65-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-82-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-83-0x0000000000400000-0x0000000001BF0000-memory.dmp
C:\windows\YG.dll
| MD5 | 32dc13c8726949f099f8e5f7cebed882 |
| SHA1 | 0489dee6adc4f69c3402daafb9c40d1c71fa1f27 |
| SHA256 | fc4ba7e3ec9282f3c8d1a6754d52245bf1309738180b4e04ba1a2285b27df3c4 |
| SHA512 | 2ec8f44d5c98e26b217c588e456102efbbe67494f4ac1c157bfb78dd47fd8dd4383838222de4e1b232f9eec2cbc4e3df5b418b3a8151eb1789ead93d3425ef8d |
memory/2256-87-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/1604-85-0x0000000073710000-0x0000000073B81000-memory.dmp
memory/2256-88-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-89-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-90-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-91-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-92-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-93-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-94-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-95-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-96-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-97-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-98-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-99-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-100-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2256-101-0x0000000000400000-0x0000000001BF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:49
Platform
win10v2004-20240426-en
Max time kernel
1s
Max time network
7s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe
"C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\LOL意哥全能辅助.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b4055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | b.qzone.qq.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2360-0-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2360-1-0x0000000000401000-0x00000000004F3000-memory.dmp
memory/2360-3-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2360-4-0x0000000010000000-0x0000000010014000-memory.dmp
memory/2360-42-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-46-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-40-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-50-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-48-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-44-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-51-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2360-38-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-34-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-30-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-28-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-26-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-25-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-22-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-20-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-18-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-16-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-52-0x0000000005880000-0x000000000597A000-memory.dmp
memory/2360-14-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-12-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-10-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-54-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-55-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2360-53-0x0000000000400000-0x0000000001BF0000-memory.dmp
memory/2360-9-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-8-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-36-0x0000000003D10000-0x0000000003D4F000-memory.dmp
memory/2360-32-0x0000000003D10000-0x0000000003D4F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:52
Platform
win7-20240221-en
Max time kernel
142s
Max time network
136s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32Srv.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px8095.tmp | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422544039" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB1DDE11-1839-11EF-8706-CEEE273A2359} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\lolyg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\lolyg.dll,#1
C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1388-22-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1388-21-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1388-20-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1388-19-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2296-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2296-10-0x0000000000230000-0x000000000023F000-memory.dmp
memory/2296-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2032-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2032-2-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-0-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-24-0x0000000010000000-0x00000000100FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9915.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar9A67.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7107a7a74d72e2e53f9c1fe3b234883 |
| SHA1 | 54c75d1a0f23539826bc80735f0e123f1d3d5311 |
| SHA256 | 06d66b0b87ac12e34903e2d40296d5255016bb99f8893bfb23fac030d4ca987b |
| SHA512 | a2572af0649588c4a0818972211c51a07eeb31394256d8c90bbea4a1f77270da3194a5e90e0f8debf290357ac8d0b33eb6782b080f30badfa2ac1333d024a4ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b89f539a188ce92214abbbda29f712ad |
| SHA1 | dfb655102185469287f26c0d4f5e6bc899bf6d65 |
| SHA256 | d51441d5b1b18b9a8245b8c2612bcdc6bcbdeae7bc7a520d7052e63e52841687 |
| SHA512 | 2c4af0627f869c0a71aedc79a98c07ebe451270b6ba028d84437e657abc47317349b9de220ae75c97415824aa28ffbd919087f4f9b81c09698dac741feeb5c8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b38c62373ab460514969f802c5f6d55 |
| SHA1 | 26dda0db7939d8d0932a69a7b202765b60dc0a7a |
| SHA256 | 63a3bf2b46cea3671422d9bd00785def5aa64db9c3bd7cc45b650c45ed9e88f0 |
| SHA512 | 71080ebe8b09e1382751affb2a77f45838cd2c7b559024b49fc0e71f70f2f62aaebca29b888801699e19503b029dac6228364d5d9f0594f62f002801bff193e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53d3ecf72afb8b5855d1f3e3c0fed9ee |
| SHA1 | 3f0a10cd21550db123a8fae2a4e5abc7be2d15bf |
| SHA256 | c3f19ed216f8cc97dddac5764c6eab6fb0448889bff9332ba56b3798df9df799 |
| SHA512 | c1f107c71020232ebe9864a53b050f227e9c603294ff4c0509c70d7a0df3149f54c0de8e108d4573eb98f3f343b40c6f74bc977d14de2335794f3e05e6231e9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f6da8b79b99939cab840dd595e89c73 |
| SHA1 | a19f0de2d74430cc4c7ff26a578d16126086e007 |
| SHA256 | 41b14b4b1917a11b3a9562d2830d74786e8d9974cbf36b6f2b49aa8acfbf02c7 |
| SHA512 | b5752c6d0f756118502441b6adfaaa2a5f2000fbe26ee3065cfccc0ec85d0bbf7acc109b83e76e848f9e11eaba8ca20c5887eb6d9d6402834d60eb97144d4cd8 |
memory/2032-237-0x0000000010000000-0x00000000100FC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1b874f0e69559ab095bc515ad3a477f |
| SHA1 | 055e6191ef9d33e147875ebda0789a233a5ae0f5 |
| SHA256 | a3f06c6e2c961bc10033c8bf82208035aa43a7bc3a432599075b97fc26f2eb86 |
| SHA512 | fae43deecdc307fc233cdb631c8bf500fbade45176775c21f212a253be2bc71d1af13b77306fdba882a081e49b3f423552887a75095cdd6557d1e2b35df674d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78ebc184e89ea4cc91bd1cd3f00ec8d2 |
| SHA1 | b1fa96701720b6462e7d9682e4866e962e784976 |
| SHA256 | 60bf5affe8cc36bd31ea84841817e64f287403e0db3a746f8b245ace94204ea7 |
| SHA512 | 5b8fb3e22514e887467c96a0c0f583e322a6a0fe263e439b763c90def83420f1275bd66f610fd36fc996ecaf4c8d96d5742fe4bc57f88f496bd42231723f00be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb082a5eff7e81e1c01a3f2ece8c3476 |
| SHA1 | 5e5a658260d6c1c85d31a5cbec899abe06b8170b |
| SHA256 | 634f43d90ad0e7278d63b7884bf3eb52f8a1f568e823c72ea20972f222c71e1f |
| SHA512 | 10009eacb546cdf7d88ca9d227fd76f0e585c2c1971d4e5743abd5c4d0d76253c228a83a3bb6e7fab26d9aabe7da74128e02e0b591c0717fa95b5562145fa40e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5bd07cbacf0b3926ce1d12de8713421b |
| SHA1 | 13bc058b497c3e5b8ee3733f19996fbd5f004374 |
| SHA256 | 48990c7d5791f384fa54856cc3a96b4918b5b0e9b458f4dafcbeec8f90c27f63 |
| SHA512 | 751ca7a42a1282503afb1f0ff18aaade1d510fff2840fd5a8b272a32cd6eb4539827ebe10129f734ebef30f1080f3a57d724d34aa46c078403e3671087fabe4c |
memory/2032-500-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2032-501-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-502-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-503-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-504-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-505-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-506-0x0000000010000000-0x00000000100FC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6fd3f4fa3fd99a2e3c5539be7b87e292 |
| SHA1 | e1f9a25a2e4f9d7673c2b7be6e7584defa1fcf76 |
| SHA256 | 88c86c74175460a871aadad48aa6b7b20780ef08b9c67da467a24fa16cbd5d04 |
| SHA512 | 6fdf192fbdd99c40890efc57233227243a83d24578757bdd3d9e5b652f8851efb4a80fbd29bf27834f5de32979704a5a47283e915ba8d29eeb4de74cfef018f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 478cd97db5b60f3d5f9226297908a34b |
| SHA1 | b8a091f55320ee9571a1ae9bfab9e9696ab82c9b |
| SHA256 | a954b98b83d40d5a0bacc21432d641be9d4cf16085a3c5de67c8810beef490f1 |
| SHA512 | 94cd6b234162bcb03bf4a7f27ca0729ffc36dd9da9694c4eeda1919fa5cabadf02f3471e3042850a09c1a83fef23beec2542781c26768fa379a458ceb296db0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08542d2785706585e591b56370e83bd3 |
| SHA1 | 98304d4b6b7caf0ae272235a1941e76596c54d87 |
| SHA256 | 2a48bd9a7233f13352bfe56c92caf2a2d00d7474ad617ca32d2feb18aed25147 |
| SHA512 | 582d240a8d7e52e05c2916d18353bee4c402283deb40ec02f2dc456ccc4c66aa9e5a0ed92ef2b727b7a035044518724f6cd2c2b3d2028f697663539d41662463 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d481ee0ba3f422696c9edef7f9a695bc |
| SHA1 | 7941882d11a6baa54c178d1ae9a6c17310cd74df |
| SHA256 | ffb6779f73425714d0e7d45f08d48efc39e6f7236f37cb33ab5f5e7bf665f386 |
| SHA512 | e80edcc53b27b411b0f6a1b25377a66f7f9b2b4eb9e3071e320bb8a4de613bb107a27a2c6232800a2cbdecd7f13d5d4ae93a879398ec2f8180764b1fe7f41260 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92ff336365fd9275fb1d5bf7d9650cbf |
| SHA1 | 486cca746b46579a2c3ee136dca842cb6fd9d949 |
| SHA256 | a3d42f715f6352d201770a0fb336a91af005fd06b41ca1f80abdc8e230482813 |
| SHA512 | 6aa3286515fc5e18fe80495b6a9723e236f29482fc768fe5a1223ed24ff81eaed9ad72da20862274b233687c3eb6fef160779ca1e5951900d13a4970cbfb961b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e0cf4554fe4fca7f8ebe7c047f4d913 |
| SHA1 | 3be92731e5dcb3656e1c683aed534ab9feec9be9 |
| SHA256 | b4c131c95621e93c7c3efb7a280d9892c86c258f3b1e556d0a18e2cfa06fd516 |
| SHA512 | 0143a222b82fe7b274cbd3c214c06a276958d0cb3b683c63a98f64c3d0da0ad657fefd38bbe8746cfe9110060690acf79522ee14e14e695aed250decec6947fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74ba634267db0ba4b007236e870a7531 |
| SHA1 | fb8c79fb08d73ba47e60978b4a83c4d279641daa |
| SHA256 | be9e248b565025a3bbc0ea8cd4dd929271110bb2407ecf27d6625ff4c8e9429f |
| SHA512 | d776acc9719aa5278ae1b630ed09df963b9d96297b0bd98f806af9f5d0f3bf6c9f42a4fdb146891ce68c58a248b5954f20cbacf18335320c7c27a86998197e6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01720787f297daab551690bd5daead4f |
| SHA1 | 4663d15be1aa75c74fe34f1783fc0cca39a34d7e |
| SHA256 | 0e8d19ca03209ba89a78325d5474a042db1a46a729e2ed687dff5f9ac3da36f1 |
| SHA512 | a0deea34b1d571a02e3b2690ac9e93e15fdb2f4523bf731ab0ccd71f5acb850b6179b726c4fdae8b7cb825bc9d080058d71089f5ea5f2fdbe533003f143711c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7dcd014cd4ced4ffb54227a4a791d3f9 |
| SHA1 | 04bbb8dc1fc7253e6ae000d84ef81ac199b701d8 |
| SHA256 | df975209360acafeed9321377bc097ef3a723a5947b6c63f1fe29e229477212c |
| SHA512 | 12102e9f0c7a80e19db089ff87a8d6d9ab5bdfe6a5bf050b779234f851912292057929c20889c6f705531c2b99c26eff5e4ad341056d8ffa90ee532986186eaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98d247fffdfb528f5ad8a747b2c0c835 |
| SHA1 | f955b5019d84b496ff15413769399a5013a2088e |
| SHA256 | cd8ba6d81b71e054f3b78db6844ceded60e4f5d70cf495215c3dc93200e39066 |
| SHA512 | fb303cae79a836bc9e28a2b804603a69b92e5adcb72478d4165af9f5c22b35ec27db9fedfd7cab8b2bdaf3eb6865ea1b0a292a65bd3002e9f8e02374a73b4788 |
memory/2032-987-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-988-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-989-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-990-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-991-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-992-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-993-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/2032-994-0x0000000010000000-0x00000000100FC000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
129s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe
"C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/1148-0-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-34-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-42-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-43-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-41-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-38-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-36-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-32-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-30-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-28-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-26-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-22-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-20-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-18-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-16-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-14-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-10-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-8-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-6-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-2-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-24-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-12-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-4-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-1-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1148-44-0x0000000076F74000-0x0000000076F75000-memory.dmp
memory/1148-45-0x0000000000B20000-0x0000000000B5E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:52
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 2724 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 2724 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 2724 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 2724 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\插件注册失败打开.bat"
C:\Windows\system32\regsvr32.exe
regsvr32 "C:\windows\yg.dll"
Network
Files
memory/2952-0-0x0000000001D90000-0x0000000001D91000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:51
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
129s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32Srv.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxEBD7.tmp | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Windows\SysWOW64\rundll32Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108166" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2330645002" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423147137" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2330645002" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2334082718" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B691F866-1839-11EF-B8C0-4A7C5F4B2F01} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\lolyg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\lolyg.dll,#1
C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/4316-1-0x0000000010000000-0x00000000100FC000-memory.dmp
C:\Windows\SysWOW64\rundll32Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/4092-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4092-8-0x0000000000590000-0x000000000059F000-memory.dmp
memory/4092-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4796-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4796-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4796-14-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/4796-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4316-18-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-19-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-20-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-25-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-26-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-27-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-28-0x0000000010000000-0x00000000100FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/4316-39-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-40-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-41-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-42-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-43-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-44-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-45-0x0000000010000000-0x00000000100FC000-memory.dmp
memory/4316-46-0x0000000010000000-0x00000000100FC000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 11:58
Reported
2024-05-22 12:51
Platform
win7-20240215-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe
"C:\Users\Admin\AppData\Local\Temp\cfsamdsfzrej_gr\LOL意哥破解版\娇滴滴破解.exe"
Network
Files
memory/1728-0-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-1-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-2-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-12-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-41-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-34-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-36-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-44-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-43-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-38-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-32-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-30-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-28-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-26-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-24-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-22-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-20-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-18-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-16-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-14-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-10-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-8-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-6-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-4-0x0000000000600000-0x000000000063E000-memory.dmp
memory/1728-45-0x0000000000600000-0x000000000063E000-memory.dmp