Malware Analysis Report

2025-03-14 23:56

Sample ID 240603-ghwltadf9x
Target 90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118
SHA256 31ddbd4363a91b6cd530e594a912f5160f23709a6f897ba3817237cc9e777049
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

31ddbd4363a91b6cd530e594a912f5160f23709a6f897ba3817237cc9e777049

Threat Level: Shows suspicious behavior

The file 90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Adds Run key to start application

Maps connected drives based on registry

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:48

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240220-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Games Bot.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\GamesBot = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Games Bot.exe\" --startup" C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Games Bot.exe

"C:\Users\Admin\AppData\Local\Temp\Games Bot.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gamesbot.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp

Files

memory/1684-0-0x0000000074ED1000-0x0000000074ED2000-memory.dmp

memory/1684-1-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/1684-2-0x0000000074ED0000-0x000000007547B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDAE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2b6c209959c8c5b2f10099742c28772
SHA1 c6ecc4a68b63ad9b8808376877e071964b71b3b5
SHA256 64163621bcbd75e6e2f72b86acf294e466e9ef9b8d77cf788d1b13075f3e050b
SHA512 79cc8877a5967256c59429992db6753b89592545ace83e2b010af9a5c9ada0d161552e6716ddbdc943519970bd665dc92f4f63d58d928805011e37277dde8ee2

memory/1684-171-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/1684-173-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/1684-174-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/1684-175-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/1684-176-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/1684-177-0x0000000074ED0000-0x000000007547B000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240419-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe
PID 4588 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe" --GoAn --Supp 570 --Mode CheckInstall --Cid 854ED3A2-6BED-0F47-AD40-9FED04EEC4BE

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe" --InstSupp --Supp 570 --Ver 155

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe" --PreCheck 570 --Uid 45CE9ABF9CF3C741A2E83D0D8551A3B3 --Ver 155

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe" --GoAn --Supp 570 --Mode StartInstall --Cid C7AF1163-999B-DB45-B829-AE836395E456

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 8.8.8.8:53 supp.gbot.uk.com udp
US 54.153.56.183:80 supp.gbot.uk.com tcp
US 8.8.8.8:53 uk.com udp
US 54.153.56.183:443 uk.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 183.56.153.54.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 cdn.gbot.uk.com udp
US 54.153.56.183:80 cdn.gbot.uk.com tcp
US 54.153.56.183:443 cdn.gbot.uk.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk2DD7.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\RtHelp.exe

MD5 f652ea124a7544256e7eb97d879a4ab5
SHA1 0b4d50b0b8afadc8b1921311a11c2f35867f9851
SHA256 2149940c37938dd317c2b09d2a16d00535c493a8a8cfbe82d4b0c5ee1637759e
SHA512 d3f0a7adf58e816e9d0ea03dd528e472697fe65e64cc9ecc299de9cbf6d3d56915af059e2751219b6e9df3dd73e011314f325b221ea7b17e53ca09a1b3092c94

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\Modules\ManXec.dll

MD5 95cf944c390c06a45b7a455ebf340173
SHA1 ad2c1b92932a52c04ace29cb921bd06d1ca56e53
SHA256 3a6886badafbf4dad3da593097117e252475f3296c85071c53da51ccb7009a38
SHA512 9bc85c527741a90f554fe82d4735fdf003e1b0a7ca40404b763627ed1fe0fe489b2c0e603c3cd90a96120ebb242d718835733f1f3988629be4b0c516ac3229d6

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\MSVCP110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\MSVCR110.dll

MD5 4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 52693d4b5e0b55a929099b680348c3932f2c3c62
SHA256 b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA512 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\Modules\CmlProc.dll

MD5 beccdd9df8ec434c9e6eb78fa054363a
SHA1 f690c5eab1c1c39f84b19f3525114a2b3937cedb
SHA256 6f461ce8c1e47844ed11ec53e08d760fa9340a32b04af207a3976cc7f9dd6cef
SHA512 3a6586743f4129c641cb82886225179d218545aebf82546d07f791dbbe270ddb969040fd9a55ad5485678d881e3a3343be27a84ba412d401864edcc581c60f4d

C:\Users\Admin\AppData\Local\Temp\AD99E1A6-74E0-024A-95A9-1082840F260F\Modules\InSes.dll

MD5 7ad47a04c4bf17d6fec2cb25d6c3d58e
SHA1 3e89bb832ad06cf28b64dce60e657edfcc1cc387
SHA256 6837d7c7050bc16a35824de09c345b70365a5e7f3dff61ef496ddc03d889b39e
SHA512 1ff31b057a940e226e0791844db37d5cb00453814665f5110699987417163e8fc739573be9d8507d38a7c6d6bb1b46838466d7dcd064c8300dae07c212bdb3c1

C:\Users\Admin\AppData\Local\Temp\nsk2DD7.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/4588-110-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-132-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-121-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-116-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-113-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-100-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-96-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-92-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-90-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-85-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-82-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-79-0x0000000002160000-0x000000000216A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 05b6056c360014f34681e669739e3701
SHA1 5f8ed087ad3758f43d95a4f94eee735fd9ab7ff5
SHA256 a440a242b2fa395ee44bb66d8dea90e48d29bb70c3005e793d764d4824c0658b
SHA512 bf0e46df7a24cd2e02f43cc5ce83d8c462156c00408a00bfad002ce664f47e922a4b0369f605683ddd5833ea4318f2c7ab19340f9c2f564c425724f02744a5e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9821DD67A94463DFB9F3F00C073D3012

MD5 e4f160bc07e8277ec185446858f43604
SHA1 47115e63b51de62e6c2fc073e17e17662fa81541
SHA256 0af5c4a2f356df51286e8c87bdee067613ac8dca4cd75a4ecb3a2c2e2923cc40
SHA512 9b86cfb2c1446979f5d1fffa65b91d44b400da1e494671011d897306462426a71fc19af6d8e3d22884db7f8f205d5f224442325a646de1c1e6cba68fe3f6196b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9821DD67A94463DFB9F3F00C073D3012

MD5 53b9cb05e2e7d40bbcb388416cf8bea0
SHA1 3f619aefde7b5ab304b824f03cc4680c4462119c
SHA256 52d8fb2aafbd97cfcd96bad0ba48be219d87fcc78f94a45678b7ce784bfe54a9
SHA512 ddde7f5edfebfee305a72b12f99dbbf23bf1af866b33500cef78cb32c56113e3e0429e350baedf94bda2751008db1bc4a42c8c8607313862e7a7f1b2562414df

C:\Users\Admin\AppData\Local\Temp\nsk2DD7.tmp\nsDialogs.dll

MD5 dbdbf4017ff91c9de328697b5fd2e10a
SHA1 b597a5e9a8a0b252770933feed51169b5060a09f
SHA256 be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36
SHA512 3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

memory/4588-160-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-161-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-163-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-162-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-164-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-165-0x0000000002160000-0x000000000216A000-memory.dmp

memory/4588-166-0x0000000002160000-0x000000000216A000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3576-0-0x0000000010000000-0x000000001000A000-memory.dmp

memory/3576-1-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240221-en

Max time kernel

140s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 224

Network

N/A

Files

memory/1924-0-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe
PID 2220 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90ba456307ee8a7f98505aca2a1f3efe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe" --GoAn --Supp 570 --Mode CheckInstall --Cid 689F1039-485A-2A40-9F85-74063AC32164

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe" --InstSupp --Supp 570 --Ver 155

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe" --PreCheck 570 --Uid 89592FF08ED7E042951DF54A8A8BDD31 --Ver 155

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe" --GoAn --Supp 570 --Mode StartInstall --Cid B244C6E3-E47D-714C-BCBB-6026997CC055

Network

Country Destination Domain Proto
GB 216.58.213.14:80 www.google-analytics.com tcp
US 8.8.8.8:53 supp.gbot.uk.com udp
US 54.153.56.183:80 supp.gbot.uk.com tcp
US 8.8.8.8:53 uk.com udp
US 54.153.56.183:443 uk.com tcp
US 8.8.8.8:53 cdn.gbot.uk.com udp
US 54.153.56.183:80 cdn.gbot.uk.com tcp
US 54.153.56.183:443 cdn.gbot.uk.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoE35.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\RtHelp.exe

MD5 f652ea124a7544256e7eb97d879a4ab5
SHA1 0b4d50b0b8afadc8b1921311a11c2f35867f9851
SHA256 2149940c37938dd317c2b09d2a16d00535c493a8a8cfbe82d4b0c5ee1637759e
SHA512 d3f0a7adf58e816e9d0ea03dd528e472697fe65e64cc9ecc299de9cbf6d3d56915af059e2751219b6e9df3dd73e011314f325b221ea7b17e53ca09a1b3092c94

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\Modules\ManXec.dll

MD5 95cf944c390c06a45b7a455ebf340173
SHA1 ad2c1b92932a52c04ace29cb921bd06d1ca56e53
SHA256 3a6886badafbf4dad3da593097117e252475f3296c85071c53da51ccb7009a38
SHA512 9bc85c527741a90f554fe82d4735fdf003e1b0a7ca40404b763627ed1fe0fe489b2c0e603c3cd90a96120ebb242d718835733f1f3988629be4b0c516ac3229d6

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\MSVCP110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\MSVCR110.dll

MD5 4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 52693d4b5e0b55a929099b680348c3932f2c3c62
SHA256 b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA512 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

C:\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\Modules\CmlProc.dll

MD5 beccdd9df8ec434c9e6eb78fa054363a
SHA1 f690c5eab1c1c39f84b19f3525114a2b3937cedb
SHA256 6f461ce8c1e47844ed11ec53e08d760fa9340a32b04af207a3976cc7f9dd6cef
SHA512 3a6586743f4129c641cb82886225179d218545aebf82546d07f791dbbe270ddb969040fd9a55ad5485678d881e3a3343be27a84ba412d401864edcc581c60f4d

\Users\Admin\AppData\Local\Temp\04F8D3E2-B082-9B43-B42F-1B20548ACE2F\Modules\InSes.dll

MD5 7ad47a04c4bf17d6fec2cb25d6c3d58e
SHA1 3e89bb832ad06cf28b64dce60e657edfcc1cc387
SHA256 6837d7c7050bc16a35824de09c345b70365a5e7f3dff61ef496ddc03d889b39e
SHA512 1ff31b057a940e226e0791844db37d5cb00453814665f5110699987417163e8fc739573be9d8507d38a7c6d6bb1b46838466d7dcd064c8300dae07c212bdb3c1

\Users\Admin\AppData\Local\Temp\nsoE35.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/2220-68-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2220-70-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2220-71-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2220-95-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2220-94-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2220-93-0x00000000003D0000-0x00000000003DA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9821DD67A94463DFB9F3F00C073D3012

MD5 e4f160bc07e8277ec185446858f43604
SHA1 47115e63b51de62e6c2fc073e17e17662fa81541
SHA256 0af5c4a2f356df51286e8c87bdee067613ac8dca4cd75a4ecb3a2c2e2923cc40
SHA512 9b86cfb2c1446979f5d1fffa65b91d44b400da1e494671011d897306462426a71fc19af6d8e3d22884db7f8f205d5f224442325a646de1c1e6cba68fe3f6196b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9821DD67A94463DFB9F3F00C073D3012

MD5 04042930c3a1379d01d088dfa2423ae0
SHA1 f4e35829f51aeb8780f4c31b58b3a713d34bca1a
SHA256 03f4e9afd2cb0f807e820fe231fd8f859ac16acb172d7c5d84e1b7296b1d5fae
SHA512 c6bd749ee6ecabfd80bed2369d85ad4b0ae510c87ed36f345027c3b4cce35231061aac4ac669a42a9be0195a50508290df26a2ef6f9f3b7dd777c42246c503c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 a9166f46a4731dacb6146d9db3fabf0d
SHA1 80e5351a1d15608b736b8c9eb52e8363dea65c1a
SHA256 f3c4b01c158c23ab74fd3da8e81c9bce4fa60b400d6a954deb5c19cda039a83b
SHA512 9e5aa8981e694d5ad8f838dafc77c42e35b12bed628d295abd9b5626db61e7e4382859d3aa16437d040e60e80b51d340f5dd255d60afbcf1ab4c1e331070db59

\Users\Admin\AppData\Local\Temp\nsoE35.tmp\nsDialogs.dll

MD5 dbdbf4017ff91c9de328697b5fd2e10a
SHA1 b597a5e9a8a0b252770933feed51169b5060a09f
SHA256 be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36
SHA512 3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

memory/2220-128-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2220-129-0x00000000003D0000-0x00000000003DA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240419-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3800 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 308

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 244

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win7-20240508-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 220

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 4320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5088 wrote to memory of 4320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5088 wrote to memory of 4320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4320 -ip 4320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 4964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3644 wrote to memory of 4964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3644 wrote to memory of 4964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 440 wrote to memory of 612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 440 wrote to memory of 612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 612 -ip 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 1492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 1492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3972 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3972 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3972 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Games Bot.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamesBot = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Games Bot.exe\" --startup" C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Games Bot.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Games Bot.exe

"C:\Users\Admin\AppData\Local\Temp\Games Bot.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.usertrust.com udp
US 172.64.149.23:80 crl.usertrust.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gamesbot.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3616-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

memory/3616-1-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-2-0x00000000750D0000-0x0000000075681000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

memory/3616-24-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-25-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-26-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-29-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-31-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-32-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-33-0x00000000750D2000-0x00000000750D3000-memory.dmp

memory/3616-34-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3616-35-0x00000000750D0000-0x0000000075681000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 2916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5008 wrote to memory of 2916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5008 wrote to memory of 2916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4204 wrote to memory of 3692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4204 wrote to memory of 3692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4204 wrote to memory of 3692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3692 -ip 3692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 692

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-03 05:48

Reported

2024-06-03 05:51

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 388 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 388 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

N/A