Malware Analysis Report

2024-10-19 11:03

Sample ID 240524-y6hhjahh21
Target d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d
SHA256 d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d
Tags
discovery evasion persistence spyware stealer trojan aspackv2 adware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d

Threat Level: Known bad

The file d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan aspackv2 adware

Modifies WinLogon for persistence

Modifies RDP port number used by Windows

Modifies AppInit DLL entries

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

ASPack v2.12-2.42

Checks BIOS information in registry

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Maps connected drives based on registry

Installs/modifies Browser Helper Object

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 20:23

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3852 wrote to memory of 3396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3852 wrote to memory of 3396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3852 wrote to memory of 3396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3396-1-0x0000000002CD0000-0x0000000002CFC000-memory.dmp

memory/3396-0-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3396-3-0x00000000014F0000-0x00000000014F1000-memory.dmp

memory/3396-2-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/3396-10-0x0000000001500000-0x0000000001501000-memory.dmp

memory/3396-9-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/3396-8-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/3396-7-0x0000000001510000-0x0000000001511000-memory.dmp

memory/3396-6-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/3396-5-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/3396-4-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/3396-12-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/3396-11-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/3396-13-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/3396-14-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/3396-30-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/3396-29-0x00000000030C0000-0x00000000030C1000-memory.dmp

memory/3396-28-0x00000000030A0000-0x00000000030A1000-memory.dmp

memory/3396-27-0x0000000003070000-0x0000000003071000-memory.dmp

memory/3396-26-0x0000000003080000-0x0000000003081000-memory.dmp

memory/3396-25-0x0000000003060000-0x0000000003061000-memory.dmp

memory/3396-24-0x0000000003030000-0x0000000003031000-memory.dmp

memory/3396-23-0x0000000003040000-0x0000000003041000-memory.dmp

memory/3396-22-0x0000000003020000-0x0000000003021000-memory.dmp

memory/3396-21-0x0000000003010000-0x0000000003011000-memory.dmp

memory/3396-20-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/3396-19-0x0000000003000000-0x0000000003001000-memory.dmp

memory/3396-18-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/3396-17-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/3396-16-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

memory/3396-15-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 3436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3196 wrote to memory of 3436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3196 wrote to memory of 3436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 3924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 3924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 3924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32 /u iesplugin.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3436-0-0x0000000010000000-0x0000000010026000-memory.dmp

memory/3436-1-0x0000000000B40000-0x0000000000B6C000-memory.dmp

memory/3436-9-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/3436-10-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/3436-8-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/3436-7-0x0000000000880000-0x0000000000881000-memory.dmp

memory/3436-6-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/3436-5-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/3436-4-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/3436-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/3436-2-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/3436-12-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/3436-11-0x00000000024B0000-0x00000000024B1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240508-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Signatures

Modifies RDP port number used by Windows

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\SpySheriff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SpySheriff.exe" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00C6D95F-329C-409a-81D7-C46C66EA7F33}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x55c

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpySheriff\SpySheriff.lnk

MD5 a89c9ded5d45d47ee1f844d3d20865f6
SHA1 9f2a22f26a6739b5565e1e696a6fd488da958aca
SHA256 d47c77d13586f2336c9b83fec7bb55f58a86e91bdf9c9a41f48b7dcdbde2bb44
SHA512 754b3f6131d6c78d92272bea1a4bd7457a80b92ecd28f15b4611826640b638fbd75911c8fb43306b1dc97798ae89ece0250187595699a465c29db25b8ed4868b

memory/1952-9-0x00000000217A0000-0x00000000217C4000-memory.dmp

memory/1952-8-0x0000000020E20000-0x0000000020E43000-memory.dmp

memory/1952-7-0x000000001F820000-0x000000001F846000-memory.dmp

memory/1952-6-0x000000001E540000-0x000000001E568000-memory.dmp

memory/1952-5-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1952-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1952-14-0x00000000217A0000-0x00000000217C4000-memory.dmp

memory/1952-13-0x0000000020E20000-0x0000000020E43000-memory.dmp

memory/1952-12-0x000000001F820000-0x000000001F846000-memory.dmp

memory/1952-11-0x000000001E540000-0x000000001E568000-memory.dmp

memory/1952-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1952-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1952-61-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1952-66-0x0000000000400000-0x0000000001400000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Network

N/A

Files

memory/1668-0-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-1-0x000000001000F000-0x0000000010010000-memory.dmp

memory/1668-9-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-8-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-7-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-6-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-5-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-4-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-3-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-2-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1668-10-0x0000000010000000-0x0000000010028000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Nail.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Network

N/A

Files

memory/2028-0-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2028-1-0x000000001000A000-0x000000001000B000-memory.dmp

memory/2028-6-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2028-5-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2028-4-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2028-2-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2028-3-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2028-7-0x0000000010000000-0x0000000010023000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "OneSecurity" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID\ = "OneSecurity.IESecurity" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\ = "SpywareNo IE Security 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2788 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Network

N/A

Files

memory/2792-0-0x0000000010000000-0x0000000010207000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

135s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "OneSecurity" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID\ = "OneSecurity.IESecurity" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\ = "SpywareNo IE Security 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 5044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 5044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 5044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/5044-0-0x0000000010000000-0x0000000010207000-memory.dmp

memory/5044-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 2132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpySheriff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SpySheriff.exe" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\SpySheriff.lnk

MD5 e0c391f71563e55b7eeea98b4075b2a1
SHA1 2ee3df870d7bac1caca14837b79bdfebe49f2ddf
SHA256 e6ca305c77528cc1077c4395b94268e815b487a052fc336436423360874626cc
SHA512 c54b56adc6aab79fac1b76ceddcb45a8640a36158805fa641053276747918acaf67d8be0ec90dcd72a899b52bc075933d5e6c8d5abb95e64c5ca642c0205e6d6

memory/4428-10-0x0000000021AF0000-0x0000000021B14000-memory.dmp

memory/4428-9-0x0000000021250000-0x0000000021273000-memory.dmp

memory/4428-8-0x000000001FC70000-0x000000001FC96000-memory.dmp

memory/4428-7-0x000000001E980000-0x000000001E9A8000-memory.dmp

memory/4428-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4428-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4428-21-0x0000000021AF0000-0x0000000021B14000-memory.dmp

memory/4428-20-0x0000000021250000-0x0000000021273000-memory.dmp

memory/4428-19-0x000000001FC70000-0x000000001FC96000-memory.dmp

memory/4428-18-0x000000001E980000-0x000000001E9A8000-memory.dmp

memory/4428-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4428-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4428-32-0x0000000000400000-0x0000000001400000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32 /u iesplugin.dll

Network

N/A

Files

memory/3004-1-0x000000001000C000-0x000000001000D000-memory.dmp

memory/3004-0-0x0000000010000000-0x0000000010026000-memory.dmp

memory/3004-2-0x0000000010000000-0x0000000010026000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Nail.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 4260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 4260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 4260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4260-0-0x0000000010000000-0x0000000010023000-memory.dmp

memory/4260-10-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/4260-9-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/4260-1-0x0000000000C30000-0x0000000000C5C000-memory.dmp

memory/4260-8-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/4260-7-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/4260-6-0x0000000000710000-0x0000000000711000-memory.dmp

memory/4260-5-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/4260-4-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/4260-3-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/4260-2-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4260-17-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4260-19-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4260-18-0x0000000002350000-0x0000000002351000-memory.dmp

memory/4260-16-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4260-14-0x0000000002370000-0x0000000002371000-memory.dmp

memory/4260-13-0x0000000002380000-0x0000000002381000-memory.dmp

memory/4260-12-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/4260-11-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/4260-15-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4260-20-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/4260-26-0x0000000002320000-0x0000000002321000-memory.dmp

memory/4260-29-0x0000000002330000-0x0000000002331000-memory.dmp

C:\Windows\Nail.txt

MD5 abf0c43719ac7e4068ff74bde73f1583
SHA1 fae92f9de480ce3453d79b0422b62d4e8471da3e
SHA256 b2d2fecad8f7240814dc4364708825e771342acb072bad3ba2e38e1c79e4e4dd
SHA512 b2d5deea7cb115f2c7c2382e903cde39fb70890af227af128aa7dca69a17398b619134fc9ffbdef11f0d86e609173eef85d2263ece1d581b5c97507596a0f791

memory/4260-28-0x0000000002340000-0x0000000002341000-memory.dmp

memory/4260-27-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/4260-25-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4260-24-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/4260-23-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/4260-33-0x0000000000C30000-0x0000000000C5C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies AppInit DLL entries

persistence

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1556 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Network

N/A

Files

memory/2076-1-0x000000001000B000-0x000000001000C000-memory.dmp

memory/2076-3-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-8-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-7-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-6-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-5-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-4-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-2-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2076-0-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-24 20:23

Reported

2024-05-24 20:26

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies AppInit DLL entries

persistence

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 4084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 4084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 4084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4084-1-0x0000000000980000-0x00000000009AC000-memory.dmp

memory/4084-0-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4084-10-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/4084-9-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/4084-8-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/4084-7-0x0000000000950000-0x0000000000951000-memory.dmp

memory/4084-6-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4084-5-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/4084-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/4084-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4084-2-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/4084-12-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/4084-11-0x0000000000B00000-0x0000000000B01000-memory.dmp