Malware Analysis Report

2025-01-03 09:29

Sample ID 240604-t4jklach61
Target 958b53c49483769260603cac186dcce1_JaffaCakes118
SHA256 1d1d05ac7e20bc213fc86ebf59393694f74efa59f7f61465db20d6c20c49c6fa
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1d1d05ac7e20bc213fc86ebf59393694f74efa59f7f61465db20d6c20c49c6fa

Threat Level: Shows suspicious behavior

The file 958b53c49483769260603cac186dcce1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 16:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl90.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 2556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 2556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 2556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl90.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4436,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\APlayer.dll

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\APlayer3.DLL\AppID = "{3C8609A8-C549-4A30-894C-E4726E25BF6B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\ = "APlayer3 Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C8609A8-C549-4A30-894C-E4726E25BF6B}\ = "APlayer3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125\2eeb4adf-4578-4d10-bca7-bb955f56320a C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms\Categories\f79eac7d-e545-4387-bdee-d647d7bde42a\d23b90d0-144f-46bd-841d-59e4eb19dc59 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ = "IPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\874131cb-4ecc-443b-8948-746b89595d20 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ = "_IPlayerEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\NumMethods\ = "25" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\4a69b442-28be-4991-969c-b500adf5d8a8 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\33d9a760-90c8-11d0-bd43-00a0c911ce86\d23b90d0-144f-46bd-841d-59e4eb19dc59 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\82d353df-90bd-4382-8bc2-3f6192b76e34 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91\82d353df-90bd-4382-8bc2-3f6192b76e34 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\33d9a760-90c8-11d0-bd43-00a0c911ce86 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms\Categories\f79eac7d-e545-4387-bdee-d647d7bde42a C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CurVer\ = "APlayer3.Player.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\VersionIndependentProgID\ = "APlayer3.Player" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ = "_IPlayerEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125\874131cb-4ecc-443b-8948-746b89595d20 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\InprocServer32\ = "C:\\Users\\Public\\Thunder Network\\APlayer\\APlayer_3.9.10.815.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms\82d353df-90bd-4382-8bc2-3f6192b76e34 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2eeb4adf-4578-4d10-bca7-bb955f56320a} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CLSID\ = "{A9332148-C691-4B9D-91FC-B9C461DBE9DD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\InProcServer32\ = "C:\\Users\\Public\\Thunder Network\\APlayer\\APlayer_3.9.10.815.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player.1\CLSID\ = "{A9332148-C691-4B9D-91FC-B9C461DBE9DD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d23b90d0-144f-46bd-841d-59e4eb19dc59} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\TypeLib\ = "{97830570-35FE-4195-83DE-30E79B718713}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ = "IPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F19169FA-7EB8-45EB-8800-0D1F7C88F553} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\APlayer.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\APlayer.dll

Network

N/A

Files

\Users\Public\Thunder Network\APlayer\APlayer_3.9.10.815.dll

MD5 5015634ba3b9d6535bac2ea730a6bbbf
SHA1 da5888eb6d81edee0c25effd857813f2d15f67b6
SHA256 313477db6985e3043af15b31c74b192d67270aa838cd0af660f0fe357d7bf963
SHA512 237e3351949899d3aa67542e3db919f91c620ff63a9718f053047fb03516a7682952f3859fa985d4fd1458cc868b66184d61f16f711b9a937d192214e56c8741

memory/3052-3-0x00000000024D0000-0x000000000269B000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLFSIO.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLFSIO.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLFSIO.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphic.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphic.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/2368-0-0x0000000002E00000-0x0000000002E2B000-memory.dmp

memory/2368-2-0x0000000002E30000-0x0000000002E65000-memory.dmp

memory/2368-4-0x0000000002E70000-0x0000000002E83000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLLuaRuntime.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLLuaRuntime.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLLuaRuntime.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/4852-0-0x00000000013E0000-0x0000000001415000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20231129-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl90.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl90.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl90.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl71.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl71.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl71.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphicPlus.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphicPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphicPlus.dll,#1

Network

N/A

Files

memory/1628-0-0x0000000000720000-0x0000000000828000-memory.dmp

memory/1628-2-0x0000000000170000-0x000000000019B000-memory.dmp

memory/1628-4-0x0000000000240000-0x0000000000253000-memory.dmp

memory/1628-7-0x0000000000840000-0x0000000000875000-memory.dmp

memory/1628-8-0x0000000000880000-0x00000000008BF000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUE.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 336 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 4224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUE.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4224-4-0x0000000002E40000-0x0000000002F48000-memory.dmp

memory/4224-3-0x0000000002E00000-0x0000000002E35000-memory.dmp

memory/4224-0-0x0000000002DC0000-0x0000000002DFF000-memory.dmp

memory/4224-12-0x0000000002F50000-0x000000000303F000-memory.dmp

memory/4224-11-0x0000000002DC0000-0x0000000002EAF000-memory.dmp

memory/4224-9-0x00000000030A0000-0x00000000030B3000-memory.dmp

memory/4224-7-0x0000000003060000-0x000000000308B000-memory.dmp

memory/4224-6-0x0000000002F50000-0x000000000303F000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XMP.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XMP.exe

"C:\Users\Admin\AppData\Local\Temp\XMP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.v.xunlei.com udp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
US 8.8.8.8:53 xmlconf.rcv.sandai.net udp
CN 101.133.169.157:80 xmlconf.rcv.sandai.net tcp
US 8.8.8.8:53 xmp.down.sandai.net udp
US 8.8.8.8:53 user.stat.v.xunlei.com udp
CN 183.204.211.219:80 xmp.down.sandai.net tcp
US 8.8.8.8:53 bin.stat.v.xunlei.com udp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
CN 47.97.179.170:18996 bin.stat.v.xunlei.com tcp
CN 47.97.179.170:18996 bin.stat.v.xunlei.com udp
CN 121.41.70.248:80 conf.v.xunlei.com tcp

Files

memory/1596-2-0x0000000010000000-0x00000000100EF000-memory.dmp

memory/1596-0-0x0000000000630000-0x0000000000643000-memory.dmp

memory/1596-3-0x0000000001DC0000-0x0000000001DEB000-memory.dmp

memory/1596-5-0x0000000001F40000-0x0000000001F75000-memory.dmp

memory/1596-7-0x0000000002280000-0x00000000022BF000-memory.dmp

memory/1596-9-0x00000000022C0000-0x00000000023C8000-memory.dmp

memory/1596-11-0x00000000023F0000-0x0000000002666000-memory.dmp

memory/1596-14-0x0000000002670000-0x00000000026B6000-memory.dmp

memory/1596-13-0x0000000002800000-0x0000000002D23000-memory.dmp

memory/1596-16-0x00000000026C0000-0x00000000026EC000-memory.dmp

memory/1596-18-0x0000000002740000-0x0000000002741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Xmp\ProgramData\XmpAddinConfig.ini

MD5 c941facb9d6fab0b1a26d63b7f239ff2
SHA1 0f4561ee24ef9ae429da8c5454efa4600ea57e54
SHA256 0ef025e1fcc8dbea19677eb55044c531a5b60fa18d8537a7a8e84a67ae2200e1
SHA512 0d3252ae487cd4d00f8adbbe734e0a343dc2f78993da3b176e0e08691084d5f5cac0efdd44b856306743b0a43878f246a4fb6ed080e8bc3b7e665ca1ee1f2544

memory/1596-30-0x0000000003200000-0x0000000003202000-memory.dmp

memory/1596-31-0x0000000003210000-0x0000000003212000-memory.dmp

memory/1596-37-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1596-38-0x0000000004183000-0x0000000004184000-memory.dmp

memory/1596-40-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1596-41-0x0000000010000000-0x00000000100EF000-memory.dmp

memory/1596-42-0x0000000002740000-0x0000000002741000-memory.dmp

memory/1596-43-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1596-44-0x0000000000240000-0x0000000000340000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libuv.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 3532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 3532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 3532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libuv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libuv.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3532 -ip 3532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\APlayer.dll

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\f79eac7d-e545-4387-bdee-d647d7bde42a C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ = "_IPlayerEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82d353df-90bd-4382-8bc2-3f6192b76e34} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125\2eeb4adf-4578-4d10-bca7-bb955f56320a C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\ProgID\ = "APlayer3.Player.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player.1\ = "Player Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\NumMethods\ = "25" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\d23b90d0-144f-46bd-841d-59e4eb19dc59 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C8609A8-C549-4A30-894C-E4726E25BF6B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\33d9a760-90c8-11d0-bd43-00a0c911ce86 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874131cb-4ecc-443b-8948-746b89595d20}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\874131cb-4ecc-443b-8948-746b89595d20 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player.1\CLSID\ = "{A9332148-C691-4B9D-91FC-B9C461DBE9DD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\HELPDIR\ = "C:\\Users\\Public\\Thunder Network\\APlayer\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\ = "Player Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\VersionIndependentProgID\ = "APlayer3.Player" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\AppID = "{3C8609A8-C549-4A30-894C-E4726E25BF6B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\TypeLib\ = "{97830570-35FE-4195-83DE-30E79B718713}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\4a69b442-28be-4991-969c-b500adf5d8a8 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\82d353df-90bd-4382-8bc2-3f6192b76e34 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125\5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\d23b90d0-144f-46bd-841d-59e4eb19dc59 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CLSID\ = "{A9332148-C691-4B9D-91FC-B9C461DBE9DD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\TypeLib\ = "{97830570-35FE-4195-83DE-30E79B718713}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\InProcServer32\ = "C:\\Users\\Public\\Thunder Network\\APlayer\\APlayer_3.9.10.815.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C8609A8-C549-4A30-894C-E4726E25BF6B}\ = "APlayer3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97830570-35FE-4195-83DE-30E79B718713}\1.0\0\win32\ = "C:\\Users\\Public\\Thunder Network\\APlayer\\APlayer_3.9.10.815.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\2eeb4adf-4578-4d10-bca7-bb955f56320a C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\APlayer3.Player\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9332148-C691-4B9D-91FC-B9C461DBE9DD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31D6469C-1DA7-47C0-91F9-38F0C39F9B89}\ = "_IPlayerEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91\82d353df-90bd-4382-8bc2-3f6192b76e34 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d23b90d0-144f-46bd-841d-59e4eb19dc59} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F19169FA-7EB8-45EB-8800-0D1F7C88F553}\ = "IPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\f79eac7d-e545-4387-bdee-d647d7bde42a\d23b90d0-144f-46bd-841d-59e4eb19dc59 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4276 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3176 wrote to memory of 4276 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3176 wrote to memory of 4276 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\APlayer.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\APlayer.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Users\Public\Thunder Network\APlayer\APlayer_3.9.10.815.dll

MD5 5015634ba3b9d6535bac2ea730a6bbbf
SHA1 da5888eb6d81edee0c25effd857813f2d15f67b6
SHA256 313477db6985e3043af15b31c74b192d67270aa838cd0af660f0fe357d7bf963
SHA512 237e3351949899d3aa67542e3db919f91c620ff63a9718f053047fb03516a7682952f3859fa985d4fd1458cc868b66184d61f16f711b9a937d192214e56c8741

memory/4276-5-0x0000000002CA0000-0x0000000002E6B000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AssociateHelper.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AssociateHelper.exe

"C:\Users\Admin\AppData\Local\Temp\AssociateHelper.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUE.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUE.dll,#1

Network

N/A

Files

memory/2188-1-0x0000000000A50000-0x0000000000B58000-memory.dmp

memory/2188-2-0x00000000001E0000-0x000000000020B000-memory.dmp

memory/2188-4-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2188-6-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2188-8-0x00000000002B0000-0x00000000002EF000-memory.dmp

memory/2188-10-0x0000000002060000-0x000000000214F000-memory.dmp

memory/2188-11-0x0000000002060000-0x000000000214F000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240215-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEIPC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEIPC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEIPC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 240

Network

N/A

Files

memory/2220-1-0x00000000001F0000-0x000000000022F000-memory.dmp

memory/2220-2-0x0000000000260000-0x0000000000295000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEIPC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 4908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 4908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEIPC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEIPC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp

Files

memory/4908-0-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

memory/4908-2-0x0000000002B30000-0x0000000002B65000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLFSIO.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 3612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 3612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 3612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLFSIO.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLFSIO.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3612 -ip 3612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\XmpPlayer.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1676 wrote to memory of 1612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\XmpPlayer.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\XmpPlayer.dll

Network

N/A

Files

memory/1612-1-0x0000000000D40000-0x0000000000E48000-memory.dmp

memory/1612-2-0x0000000000890000-0x00000000008BB000-memory.dmp

memory/1612-4-0x0000000000CD0000-0x0000000000CE3000-memory.dmp

memory/1612-6-0x0000000000CF0000-0x0000000000D25000-memory.dmp

memory/1612-9-0x0000000000E60000-0x0000000000EA6000-memory.dmp

memory/1612-11-0x0000000000EC0000-0x0000000000EFF000-memory.dmp

memory/1612-12-0x00000000023F0000-0x0000000002666000-memory.dmp

memory/1612-16-0x0000000000F30000-0x0000000000F5C000-memory.dmp

memory/1612-14-0x0000000002670000-0x000000000275F000-memory.dmp

memory/1612-17-0x0000000002670000-0x000000000275F000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libpng13.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 3952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2272 wrote to memory of 3952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2272 wrote to memory of 3952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libpng13.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libpng13.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3952-0-0x0000000002980000-0x0000000002993000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AssociateHelper.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AssociateHelper.exe

"C:\Users\Admin\AppData\Local\Temp\AssociateHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEOPC.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4000 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4000 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEOPC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEOPC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1532-1-0x00000000003D0000-0x00000000003FC000-memory.dmp

memory/1532-2-0x0000000002090000-0x00000000020CF000-memory.dmp

memory/1532-4-0x00000000020D0000-0x0000000002105000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\XmpPlayer.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\XmpPlayer.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\XmpPlayer.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/220-0-0x00000000027D0000-0x00000000028D8000-memory.dmp

memory/220-11-0x00000000027D0000-0x00000000028BF000-memory.dmp

memory/220-12-0x0000000002A20000-0x0000000002B0F000-memory.dmp

memory/220-13-0x0000000002B20000-0x0000000002D96000-memory.dmp

memory/220-8-0x0000000002A20000-0x0000000002B0F000-memory.dmp

memory/220-9-0x0000000002930000-0x0000000002965000-memory.dmp

memory/220-6-0x00000000029C0000-0x00000000029EC000-memory.dmp

memory/220-3-0x0000000002970000-0x00000000029AF000-memory.dmp

memory/220-2-0x00000000028E0000-0x0000000002926000-memory.dmp

memory/220-17-0x0000000002E10000-0x0000000002E23000-memory.dmp

memory/220-15-0x0000000002DD0000-0x0000000002DFB000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libexpat.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libexpat.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libexpat.dll,#1

Network

N/A

Files

memory/2184-0-0x0000000010000000-0x00000000100EF000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEOPC.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 1600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEOPC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLUEOPC.dll,#1

Network

N/A

Files

memory/1600-0-0x0000000000200000-0x000000000022C000-memory.dmp

memory/1600-2-0x0000000000230000-0x000000000026F000-memory.dmp

memory/1600-4-0x00000000002A0000-0x00000000002D5000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl71.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl71.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\atl71.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libexpat.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 3744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 3744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 3744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libexpat.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libexpat.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/3744-0-0x0000000010000000-0x00000000100EF000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libuv.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libuv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libuv.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

123s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphic.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphic.dll,#1

Network

N/A

Files

memory/2720-0-0x00000000000C0000-0x00000000000EB000-memory.dmp

memory/2720-2-0x00000000001F0000-0x0000000000203000-memory.dmp

memory/2720-4-0x0000000000220000-0x0000000000255000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphicPlus.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 1800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3892 wrote to memory of 1800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3892 wrote to memory of 1800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphicPlus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLGraphicPlus.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1800-3-0x0000000002620000-0x0000000002728000-memory.dmp

memory/1800-6-0x0000000002730000-0x000000000275B000-memory.dmp

memory/1800-8-0x0000000002770000-0x0000000002783000-memory.dmp

memory/1800-4-0x00000000025E0000-0x000000000261F000-memory.dmp

memory/1800-1-0x00000000025A0000-0x00000000025D5000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLLuaRuntime.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLLuaRuntime.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XLLuaRuntime.dll,#1

Network

N/A

Files

memory/2172-0-0x00000000001C0000-0x00000000001F5000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XMP.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XMP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XMP.exe

"C:\Users\Admin\AppData\Local\Temp\XMP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 conf.v.xunlei.com udp
US 8.8.8.8:53 xmlconf.rcv.sandai.net udp
CN 101.133.169.157:80 xmlconf.rcv.sandai.net tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 user.stat.v.xunlei.com udp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
US 8.8.8.8:53 xmp.down.sandai.net udp
CN 183.204.211.219:80 xmp.down.sandai.net tcp
US 8.8.8.8:53 bin.stat.v.xunlei.com udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
CN 47.97.179.170:18996 bin.stat.v.xunlei.com tcp
CN 47.97.179.170:18996 bin.stat.v.xunlei.com udp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
US 8.8.8.8:53 170.179.97.47.in-addr.arpa udp
CN 121.41.70.248:80 conf.v.xunlei.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/2640-0-0x00000000022E0000-0x00000000022F3000-memory.dmp

memory/2640-4-0x0000000010000000-0x00000000100EF000-memory.dmp

memory/2640-2-0x0000000002310000-0x000000000233B000-memory.dmp

memory/2640-5-0x0000000002390000-0x00000000023C5000-memory.dmp

memory/2640-7-0x00000000023D0000-0x000000000240F000-memory.dmp

memory/2640-9-0x0000000002780000-0x0000000002888000-memory.dmp

memory/2640-11-0x00000000028B0000-0x0000000002B26000-memory.dmp

memory/2640-13-0x0000000002CE0000-0x0000000003203000-memory.dmp

memory/2640-14-0x0000000002B50000-0x0000000002B96000-memory.dmp

memory/2640-16-0x0000000002BA0000-0x0000000002BCC000-memory.dmp

memory/2640-18-0x0000000002C50000-0x0000000002C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Xmp\ProgramData\XmpAddinConfig.ini

MD5 c941facb9d6fab0b1a26d63b7f239ff2
SHA1 0f4561ee24ef9ae429da8c5454efa4600ea57e54
SHA256 0ef025e1fcc8dbea19677eb55044c531a5b60fa18d8537a7a8e84a67ae2200e1
SHA512 0d3252ae487cd4d00f8adbbe734e0a343dc2f78993da3b176e0e08691084d5f5cac0efdd44b856306743b0a43878f246a4fb6ed080e8bc3b7e665ca1ee1f2544

memory/2640-34-0x00000000043C0000-0x000000000458B000-memory.dmp

memory/2640-36-0x0000000000600000-0x0000000000700000-memory.dmp

memory/2640-37-0x00000000043C3000-0x00000000043C4000-memory.dmp

memory/2640-38-0x00000000043C0000-0x000000000458B000-memory.dmp

memory/2640-40-0x00000000043C0000-0x000000000458B000-memory.dmp

memory/2640-41-0x0000000010000000-0x00000000100EF000-memory.dmp

memory/2640-42-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/2640-43-0x0000000000600000-0x0000000000700000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-04 16:36

Reported

2024-06-04 16:39

Platform

win7-20240419-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libpng13.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libpng13.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libpng13.dll,#1

Network

N/A

Files

memory/2308-0-0x0000000000180000-0x0000000000193000-memory.dmp