Malware Analysis Report

2025-01-03 09:36

Sample ID 240604-vxselaed73
Target 95a9f7060da714981527add4417e341b_JaffaCakes118
SHA256 2d52ef6c7d66fed4ca81a4a0e0adfad036d24653700fd17a45366826ce0ad45a
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2d52ef6c7d66fed4ca81a4a0e0adfad036d24653700fd17a45366826ce0ad45a

Threat Level: Shows suspicious behavior

The file 95a9f7060da714981527add4417e341b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 17:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3752 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3752 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3008-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/3008-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Network

N/A

Files

memory/1544-0-0x0000000000280000-0x00000000002D5000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240508-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Network

N/A

Files

memory/2056-1-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2056-0-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/2056-4-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/2056-3-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/2056-2-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2056-6-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/2056-5-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/2056-7-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/2056-8-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2056-9-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2056-10-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2056-11-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/2056-12-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/2056-13-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2056-14-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2056-15-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/2056-16-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/2056-17-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/2056-18-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2056-19-0x0000000000B20000-0x0000000000B21000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 224

Network

N/A

Files

memory/2668-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2668-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 3180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 3180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 3180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3180 -ip 3180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 base.landers.37.com udp
CN 42.194.172.182:80 base.landers.37.com tcp
US 8.8.8.8:53 www.37.com udp
GB 174.35.118.62:80 www.37.com tcp
GB 174.35.118.62:443 www.37.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 62.118.35.174.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.120:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/212-0-0x0000000000F20000-0x0000000000F21000-memory.dmp

memory/212-7-0x0000000000F20000-0x0000000000F21000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.120:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 4268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 4268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 2.17.196.130:443 www.bing.com tcp
US 8.8.8.8:53 130.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4268-0-0x0000000000010000-0x0000000000011000-memory.dmp

memory/4268-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/4268-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/4268-3-0x0000000000040000-0x0000000000041000-memory.dmp

memory/4268-4-0x0000000000050000-0x0000000000051000-memory.dmp

memory/4268-5-0x0000000000060000-0x0000000000061000-memory.dmp

memory/4268-6-0x0000000000070000-0x0000000000071000-memory.dmp

memory/4268-7-0x0000000000080000-0x0000000000081000-memory.dmp

memory/4268-8-0x0000000000090000-0x0000000000091000-memory.dmp

memory/4268-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/4268-10-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/4268-11-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/4268-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/4268-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/4268-14-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/4268-15-0x0000000000100000-0x0000000000101000-memory.dmp

memory/4268-16-0x0000000000110000-0x0000000000111000-memory.dmp

memory/4268-17-0x0000000000120000-0x0000000000121000-memory.dmp

memory/4268-18-0x0000000000130000-0x0000000000131000-memory.dmp

memory/4268-19-0x0000000000140000-0x0000000000141000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 224

Network

N/A

Files

memory/2984-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2984-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240221-en

Max time kernel

135s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tabGame.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\tabGame.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tabGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tabGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tabGame.exe

"C:\Users\Admin\AppData\Local\Temp\tabGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 socks.landers.37.com udp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
US 8.8.8.8:53 landers.37.com udp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 landers.37.com udp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp

Files

memory/1340-0-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1340-2-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/1340-3-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/1340-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/1340-5-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

memory/1340-6-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

memory/1340-7-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/1340-8-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/1340-9-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/1340-10-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/1340-11-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/1340-12-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1340-13-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/1340-14-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/1340-15-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/1340-16-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/1340-17-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/1340-18-0x0000000003000000-0x0000000003001000-memory.dmp

memory/1340-19-0x0000000003010000-0x0000000003011000-memory.dmp

memory/1340-20-0x0000000003020000-0x0000000003021000-memory.dmp

memory/1340-21-0x0000000003170000-0x0000000003171000-memory.dmp

memory/1340-22-0x00000000000D0000-0x00000000000D1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

100s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 2.17.196.82:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 82.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 200.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2192-0-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-5-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-6-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-4-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-3-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-2-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-1-0x00007FF8D756D000-0x00007FF8D756E000-memory.dmp

memory/2192-8-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-7-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-10-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-15-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-16-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-17-0x00007FF8953F0000-0x00007FF895400000-memory.dmp

memory/2192-14-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-13-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-18-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-12-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-11-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-19-0x00007FF8953F0000-0x00007FF895400000-memory.dmp

memory/2192-9-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/2192-483-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-521-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-520-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-519-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-518-0x00007FF8D756D000-0x00007FF8D756E000-memory.dmp

memory/2192-522-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

memory/2192-545-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-546-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-547-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-544-0x00007FF897550000-0x00007FF897560000-memory.dmp

memory/2192-548-0x00007FF8D74D0000-0x00007FF8D76C5000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 928 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 928 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
BE 2.17.196.82:443 www.bing.com tcp
US 8.8.8.8:53 82.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 base.landers.37.com udp
US 8.8.8.8:53 www.37.com udp
CN 42.194.172.182:80 base.landers.37.com tcp
GB 138.113.101.20:80 www.37.com tcp
GB 138.113.101.20:443 www.37.com tcp

Files

memory/2188-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3200.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2188-118-0x00000000000F0000-0x00000000000F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95a9f7060da714981527add4417e341b_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\95a9f7060da714981527add4417e341b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\95a9f7060da714981527add4417e341b_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst74B5.tmp\WndProc.dll

MD5 f0cb331dd4bd92a6ebce45e7cd1cf5ef
SHA1 b66ea0c10b08750295f2dc7c170b370402393214
SHA256 e7b3115fa2ce4a8fa09beeefa4fb634a474197f38a2854ce9be60d0a26016458
SHA512 7c33418f39b91ae0d4cc8b560f516bac293593eef539832815028878c2058bf1691c2d767a039cf312989839071f2f6f0b6d9d59835acdfff6b448bf1ffea271

\Users\Admin\AppData\Local\Temp\nst74B5.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nst74B5.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst74B5.tmp\SkinBtn.dll

MD5 e4ec95271ff1bcebab49bdfed6817a22
SHA1 2c03e97f4773aea80ecdb98a1482e5896fe4677b
SHA256 ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6
SHA512 771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95a9f7060da714981527add4417e341b_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\95a9f7060da714981527add4417e341b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\95a9f7060da714981527add4417e341b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx3347.tmp\SkinBtn.dll

MD5 e4ec95271ff1bcebab49bdfed6817a22
SHA1 2c03e97f4773aea80ecdb98a1482e5896fe4677b
SHA256 ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6
SHA512 771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

C:\Users\Admin\AppData\Local\Temp\nsx3347.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsx3347.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsx3347.tmp\WndProc.dll

MD5 f0cb331dd4bd92a6ebce45e7cd1cf5ef
SHA1 b66ea0c10b08750295f2dc7c170b370402393214
SHA256 e7b3115fa2ce4a8fa09beeefa4fb634a474197f38a2854ce9be60d0a26016458
SHA512 7c33418f39b91ae0d4cc8b560f516bac293593eef539832815028878c2058bf1691c2d767a039cf312989839071f2f6f0b6d9d59835acdfff6b448bf1ffea271

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2688 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2688 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 228

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 244

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

138s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3580 wrote to memory of 4984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80c8546f8,0x7ff80c854708,0x7ff80c854718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6782146801984940371,17268361803540460687,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2812 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_3580_VLSVRGVEBHIPNSBV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 56ca4a949c9410c86545dcfaa1080243
SHA1 6f3337f747ca64440c4a1a7193337c08897cac51
SHA256 06c8a154e27994a6be27d7168b70cf6364153397464ae8243cf3336acc1309c8
SHA512 40293a708e1f0078f929492dbba4ab2e1d47f545434c2cc01d12bc742f7b7af9270ae4cc63b7de9bd0801049f2b2961d5212d3fe4e77ff26e12689881f5c9a77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d61a48538c8af3f6ecf224daaf078ed5
SHA1 65d296e0598f4dc98d8def2f556af7d6c643b725
SHA256 9d9103d555f9b201800155ae227d76cd4ef1a34b411c3e08c0894ca6bf28cf47
SHA512 14825d301f5169824ba4dc8611ec7e8f7aaf806d9cdb981aea238d8b5b875b8ce4382620d7141f6280b6f99d777fe4edcc073cc29af6d16e0785f5156dd43bac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 05da7181d0be69d61a1e90f108096092
SHA1 58c89174a9276931be6ceff55c832bbb64b80524
SHA256 667ff79cca566fa3e0662accf87987e4dc665f113e576a0d43d1cd82427a3e0d
SHA512 70a50eb54fc0c2f9285e8b796d05f43a958bcddbb4848e2b7d66ae2ef1e402ba76712ae1b760de4e01e8efb8fe3b47dde5959376075370e896f420e169b40688

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2220-0-0x000000002FBB1000-0x000000002FBB2000-memory.dmp

memory/2220-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2220-2-0x000000007174D000-0x0000000071758000-memory.dmp

memory/2220-14-0x000000007174D000-0x0000000071758000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f4111a3710f25e9e7ad421b2b446b88d
SHA1 9bfe04cf0cd94f4a851a50cef1235a70592877bb
SHA256 aec59a7f3ad6b5e39c441e8ab9669c139e8e3bc1faaa543d765ff12de1bd2c20
SHA512 62741232f43cd0fc62d906724c6696a148b710d8cc5b27deb19c6698bc7d5d7f3322bb4524e3338d2cf76c5b45c040b45bd2217978664f9b8b07cbc9546d6cdb

memory/2220-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20231129-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d4c24f20cecc74fa281ab869347d87a00000000020000000000106600000001000020000000280bd71d2140d3dc2f67ab60a674928f28685dafd3ae42d33a7e7381f4f261d4000000000e80000000020000200000003e959c70a62070508bd75797374d87323dccb09842dde08589aa290e51a9c94e20000000d434c928e737fcca5e04d1ee1f38b963171d1b14dc1a5ffbf27ca0647a405a7d4000000010253883d9fa5f867a041fe76133e8cac20c316d60e153ec72f49ec52710d541b5686ffa367a571fadb670c41f1b104b1fd8ec39a488d5a9f777508661c669e9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903cb0dda3b6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423683623" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d4c24f20cecc74fa281ab869347d87a000000000200000000001066000000010000200000008ba01babf43f2be175430146d25bcf41a805e6066fbab92785d967dc275cc808000000000e8000000002000020000000aa1bd0e14c5546d806e9f07e3e95a8f0dcec6687ab2b757236c9477d5477afa290000000d5ff032d78340df272e44091f9e8687bb64dcf4c3bd299cb8ad095da0ecfe22d62be08c34bcf2eb20ab265331daf919cdabd5fdbe890222dbc083ed2d6bfa37550413d0737c20a81476f19bcff7a0c54b3c29306c30faa19fa23a68667b9a7035e6a7d53932646a261b38d9661c55ebdd87286e2dcdb8d45f11bdf1c73e1f0ef8df40f5c0b7c09234bdd9afffb32adf840000000ab2e887f3aef6fed0773bf7499b67a6ddad1d83b9e95750cf42d10561bfc28c560b74fd702539f761f68309b68fc51bef90ed7776178c40e9b0a849d9a47acb6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{090CBAD1-2297-11EF-8DE0-D691EE3F3902} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
BE 2.17.196.130:80 www.bing.com tcp
BE 2.17.196.130:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar25B0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc025ec2c5a190220f3c500eff774d5b
SHA1 5ad704b54cc799d8e865e2155abba47377d9248e
SHA256 4bace669dbbdb5ef8b73fb8aa468cea0c137f9311332f533fa98f8d03a2ad6f8
SHA512 0f49162aa81da52022ea3e3cbfb8d7750763b11fe96e592450b39582c3a202d767341280532728890d6da3a29c75ac6e89b4ea3822afedf8f0e59ee4c74ba910

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e94c80742d4563c75d8f5ba0fa9a8874
SHA1 166b87e00bb31cdf374ff195e95222012bb1aea5
SHA256 61f3200ca2167930b947a82bf28685d0637a835d3082893230d6209d8465c89b
SHA512 e01c4ddf364385bbb15340dd3be98717a1abec0fcdce3a13a372c2adef6c045c1edd4fa3a5efe67f1f10a75f44ce190101fe82b9633da78e96f16892ef88d464

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74736e15dc053dfcd69a19227f1f0e73
SHA1 7e6a7f0f168bd9d0e230c946043fb74750f2dd3d
SHA256 181f0cb3b781654be5dcb6e4f6e609336c970d392b0dc2ff4103777ebcdcd402
SHA512 7b43c3673d67163f436d5b0b2d1b11bf564c5969530db518e125524f2c0bfe18b0015febe396349bc9f9c256a310fff0d5ecbfd98750878379e85407c6b02fa7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5beb78b35f7eafa187bb0b0923e0cf8
SHA1 c75929089d557eb69f0522e252e7f7501aaedcbf
SHA256 189652596c029f38208b9e66f856f84f139d1036508e813e52937ee97136f7c6
SHA512 4fe33ae9d6a95ec281cb1aab0d6102633c122be5f35c2a727ed9e4f39edad8ff7c51c8e8eae1ec0c2654d965aac935e23db04756c218f5819699fe70c1b88d6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4009eaa6ef51b3e98ed0816974885eb1
SHA1 f03feaff92c11a03a925d7255eb8ac859b1b7a1c
SHA256 f6d15d499ec60c3539163a41df87acfb90982ac6a1e1c9c2441f821c4f3a83ed
SHA512 3e7c1a5b318cd58e9b05b231cd3f3ff606bbfe698a8615240533832eb06fe14ca440267fe82689ddc69e4801071e513bfc482f2aae52ea7dc3a330ffa2eeb803

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8306afd08bd1c747b621fdb8c1bfd154
SHA1 e864bf989e0b0afd264719aa21955985ad20778c
SHA256 c5a385482d3315836a42f324c236b320e794eaf4f635a41c4d8ac623544e0cd9
SHA512 0d2ce0740f691cabe9f304b2648d6d38f519822953f161b62b1ef582e5bfeaf48f857763ef51b216695e91919df9a162a8a69b74e4c90939690c1f6982089ec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dda4287c67436e68d9cf13db8136581e
SHA1 5aaa2b5f9226e9c5e9bb0100c0b980b23c296f97
SHA256 a276a8dea9700b19d4a6ceee8a39f4d1058e0b28358b7296fc8e6fa997d5ddb9
SHA512 77352446a083b898381d73b3b6b585f6bab859d66ecd8b12fa9e0f3716ea0e3a018cbd1a661d1974cb3ea0e37c6621ee3721597a33c6d5dc1891daaec592b847

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f77632b843593f074150e67729f8c26a
SHA1 3b731f21c41233fd0e47bb844e677df7e1992ab9
SHA256 b2bc83b29448f1da1d79675b1eccc6b080d23d1bf8fcefa99443c34df02996e2
SHA512 2d2148a6896c159dc92bf314720d145d10dc241d5f7429f99f9ef4bb1a481695595f4747f056ebd5fc160f45f4ade5670ff84c4230bfbdf1760a2d67b0c68271

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95313d2a21fbbcd2e4932c66dd5c7c4d
SHA1 884f118c174bda7c436faa37e62561fd78e25c9f
SHA256 03f67515242ce2927e3eb24e1b2d80278870073daf774e243f198d2238096190
SHA512 a691a9999b6f774b8faeed41e779bb02bb61f47ab37deebf448c6282d2119da69619d31ce9ed93dbdb54b4e6ba62eb913323735a2c884d393c645e4cbdb95b5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b80951c7f54ca3adb384177565d6bce
SHA1 ba8b3515846244e0e6aa801b6d6d995288b6fe36
SHA256 8ca546b5cd4f2d0d79e2e01f4772c4b27ebc3ead63b76e2b93bd2bad3101a5b1
SHA512 c1abeef7160a479eaceb4f56d57108f2290a421264396f775889e6baf529eb1e2e6527e236bdd49c2ef3794d8499336936e608530ad0b02ed2183824dd5fcfec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ed3308f78772a4f0257e97438ee4e72
SHA1 bd13499fce171a3ccc70c7190aef07caf3b781bc
SHA256 9098c363bfad2735dc9ed7437b226f2b0c040d6072975fc36688a1e4eaf46deb
SHA512 7a0a05e48510dfa9fe38cfe3e4730eb93b5537bd18ca131a894c7377431eafacecddc8e9977130732e6c42b1a865acd1e89168f5fa3cd69cc918cafe68fd4db8

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5ebe41704956b23926f0439fb8cb357
SHA1 faeedd4814ef0fd7749fbbf84f42a7109f173cca
SHA256 1d527aafe9850a611d38c4eb7c07ef4756dab4df1dc7edabed9030b8017851de
SHA512 4e1c37c433aee62e4f094150d55a48050f9ba5f7c42a3596e2c48df28e5081f532ca1846c15dcee9c7d7440b66f7d187274485fd9384c18a607c71fb5743e4b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c09bb82c09f37dba524ae20917c132d
SHA1 c1c3c0d7111a6d8a3adc5a10bbcdb6600e8d2797
SHA256 7eaef5d12ebbae5dab686316455de115b4fe44e61c4c40f4f713a63abd74975a
SHA512 fcdde1a5bc4af38c38dbd11a4d0ba6c55411b0e37150049ee15155fce137ffe44b6f779bed814f9b3ee7a18a4eab9a680690cea2ce2f29d0b87477222ba2353a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82b17143ca7856a802880c40272b9c01
SHA1 6302c3ad679fe7d844bd765975b22f1f057eea0a
SHA256 2ca817a708146163a335418104ab97e877517417dcc39d5675c6e391013a78dd
SHA512 dc610cd1d4140347710c9451067eae431f8f9f49b59d1fdbad2dc781f04270289f10eb9d97d3d4e627e1473429555cc7ed2dceda47fae672efc6adfe3970e97e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49cd16016b65b7465659373138ceff3c
SHA1 66e202048f00567ee080797169229be26c73bd0a
SHA256 db3a23c06f4c1e8e20e2f18a0df84e96783f7e42250f7884cb4a846fda5516f0
SHA512 b33429e7dac80f174f7af2785848e89830a0365b455afb841d18e23cce67d8a657af1487d617ebfa04718dfb4983857f8645b4718ff62581a920d5eb0bb77763

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 feb80e8ec7a0ea0cf2786f7e8f576eb0
SHA1 7275633ea429cca89ff5184a0b6ccc21889d16f8
SHA256 13cf7d146f60db77c779b18c1eaef0f5fd5610ba9dfce3af8b5384df6697c987
SHA512 fca7be01c61a1c7af993587b1c3ed4fefd152c029f457d642b0d71173b8d0df4f66a75cb34de207ce75b8b1e5d30eaa00076a74ecbea881c22b86219c8710a44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33dc9feda7f7c72ca47bf7db12a13e5a
SHA1 2228e095b1f9111244e06d9deab658d77133bbdf
SHA256 f6a927a1519610e01719c32ecd85acad3603e825a715fe48067091f38820d314
SHA512 5a2d09dd5b393c70e4dd79dbb721342456334f8e47912f6e6619cda8691c2a6975e9ba2e8ca1caf67a807f3b35a96c69d26cf6ea954156af759275cfcccaa3cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa84a2cf79c6dd78328b0a8eb7d56090
SHA1 374ab1634c159224011bc3f20a02f5f7f4919e44
SHA256 6bb97375aad92f6cf508f51c474af528251adedf2f91d5a4debe30aaedcc89dd
SHA512 603fb06e16dfda7aac286b32b3b9ffc1df97a5068b1c54b0eb3a7fe7a2789e58aca3a7a3e5841bbc508638853fa25922f2dd600f70680c8c2cd83f4d59124094

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1e4a5e15a697eea2082c406f6c30838
SHA1 a2994ecd1b2d6112768d6652b26e217dc3bf5f10
SHA256 735b7e92aec02f5625cb159e560fafd2b47e21b6dcc7cac29eccdd6178ff3d29
SHA512 c1cb561a473013d6fc2d4037b0d7dfedaa17dafb8c32368dbaf1bc39e3b5183bc7bfd59ecb34337df941c4852ad6ff00f4a81cf6715cdc086ada0db68b83c8b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce38652a60cb1c412b659247e91b90a
SHA1 55f841bfcbc83843af3362ce382d810b95062939
SHA256 22eb2ae51ba22c9969485cfa21108b9f429b2235cc16d7d431c0f0cbf0531bb4
SHA512 cafd2a662c7b00933a9cfe9d9d853680d833b542d806b7d524b5a6df7c6935921351103c9a70988f93abe74d8ed6a6ecb6833fb39f3c7c2bd13fc8e3de82c239

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bad3920eca9ee7de91927aa32f08d369
SHA1 1d371fb8be2f31688cc02c61c9bc2e1296a4bf3a
SHA256 0ef424866e60a9f1121b6e2cdbbd017785eb7a1eae5ffef95856c7233b962a66
SHA512 a5c2a5777ca064fb33f8cfdc8d1e1f22a91a669d65201fcc72545a28c4e5b95416603eb33e4456cefd16feb1e017a5e7705f6eb655f8f2e02a8406cade67ef72

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gamebox.exe

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ptres.37.com udp
GB 138.113.101.20:80 ptres.37.com tcp
US 8.8.8.8:53 socks.landers.37.com udp
CN 121.201.30.249:80 socks.landers.37.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 20.101.113.138.in-addr.arpa udp
US 8.8.8.8:53 landers.37.com udp
CN 175.178.207.44:80 landers.37.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
CN 121.201.30.249:80 socks.landers.37.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 gamebox.clickdata.37wan.com udp
CN 106.55.79.146:80 gamebox.clickdata.37wan.com tcp
CN 159.75.141.43:80 gamebox.clickdata.37wan.com tcp

Files

memory/4036-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/4036-0-0x0000000000010000-0x0000000000011000-memory.dmp

memory/4036-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/4036-3-0x0000000000040000-0x0000000000041000-memory.dmp

memory/4036-5-0x0000000000060000-0x0000000000061000-memory.dmp

memory/4036-4-0x0000000000050000-0x0000000000051000-memory.dmp

memory/4036-6-0x0000000000070000-0x0000000000071000-memory.dmp

memory/4036-7-0x0000000000080000-0x0000000000081000-memory.dmp

memory/4036-8-0x0000000000090000-0x0000000000091000-memory.dmp

memory/4036-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/4036-10-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/4036-11-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/4036-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/4036-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/4036-14-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/4036-15-0x0000000000100000-0x0000000000101000-memory.dmp

memory/4036-16-0x0000000000110000-0x0000000000111000-memory.dmp

memory/4036-17-0x0000000000120000-0x0000000000121000-memory.dmp

memory/4036-18-0x0000000000130000-0x0000000000131000-memory.dmp

memory/4036-19-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Roaming\37games\gamebox\Lander.ini

MD5 ab971a5fc87357db8aaff502da2fae9a
SHA1 85aff012cb44314b07ff323d3344cc5774cbd853
SHA256 772f96261860378468f95d26846c6d42401a87c1f49d865261bbebc1e4438fbd
SHA512 d049b02f0d6e0e105fcc5862a05b603abffd82b3316231feb2eb415a008c289772f586bb03130311df0ff6a14fc905faa349408658604b3d043aeda2ba07abe6

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240426-en

Max time kernel

127s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tabGame.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tabGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tabGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tabGame.exe

"C:\Users\Admin\AppData\Local\Temp\tabGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 socks.landers.37.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
CN 121.201.30.249:80 socks.landers.37.com tcp

Files

memory/4624-0-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/4624-1-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4536 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4536 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.130:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.130:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 130.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/2536-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2536-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 228

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3844 wrote to memory of 3748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3844 wrote to memory of 3748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3844 wrote to memory of 3748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 2.17.196.123:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 123.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-04 17:22

Reported

2024-06-04 17:25

Platform

win7-20240508-en

Max time kernel

129s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gamebox.exe

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ptres.37.com udp
US 8.8.8.8:53 socks.landers.37.com udp
CN 121.201.30.249:80 socks.landers.37.com tcp
GB 138.113.101.20:80 ptres.37.com tcp
US 8.8.8.8:53 landers.37.com udp
CN 175.178.207.44:80 landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 gamebox.clickdata.37wan.com udp
CN 106.55.79.146:80 gamebox.clickdata.37wan.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 159.75.141.43:80 gamebox.clickdata.37wan.com tcp
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 138.113.101.20:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 S1.37wan.996a.com udp
US 8.8.8.8:53 S12.37wan.996a.com udp
CN 175.178.207.44:80 landers.37.com tcp
US 8.8.8.8:53 S13.37wan.996a.com udp
US 8.8.8.8:53 S3.37wan.996a.com udp
US 8.8.8.8:53 S21.37wan.996a.com udp
US 8.8.8.8:53 S2.37wan.996a.com udp
US 8.8.8.8:53 S22.37wan.996a.com udp
US 8.8.8.8:53 S23.37wan.996a.com udp
US 8.8.8.8:53 S5.37wan.996a.com udp
US 8.8.8.8:53 S24.37wan.996a.com udp

Files

memory/2272-4-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2272-3-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2272-2-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2272-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2272-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2272-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2272-5-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2272-1-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2272-0-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2272-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2272-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2272-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2272-12-0x0000000000400000-0x0000000000401000-memory.dmp

memory/2272-13-0x0000000000410000-0x0000000000411000-memory.dmp

memory/2272-14-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2272-15-0x0000000000430000-0x0000000000431000-memory.dmp

memory/2272-16-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2272-18-0x0000000000460000-0x0000000000461000-memory.dmp

memory/2272-17-0x0000000000450000-0x0000000000451000-memory.dmp

memory/2272-19-0x0000000000470000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\37games\gamebox\Lander.ini

MD5 ecf65039fe6cc652303cd9f42659d2da
SHA1 632ec56c89baeb7011a075b265978b66ff6aeca7
SHA256 423062853777187d0734b672b8c15f7948e855623feb94aafcffcdea44ea8431
SHA512 26eb1a6432cb209d5775c734efc73f9667cb3411e07966ad694e9596a8b3083f42d689b1f978a51843251e45211d8190592468443a0969b122fdca3a618c045b

C:\Users\Admin\AppData\Roaming\37games\gamebox\Upgrade\app.ini

MD5 7e24410c1cc00eef38e7ed4b881f31b1
SHA1 bbb6241907bcd611a881211d120020d3efbdb592
SHA256 b6b3083ff0b1d428f92e176510b3a7a1e5274d9a4ffef0174f1f4e30f4ed2d31
SHA512 93c9c45971a42324b3fe0c445d86bae756a248f7e9e9c9ecc60bf1765432978282b2fc814c6071cd5b65946eb5c9b95cc2d45d021eaa6ce5a998d2f55f78154f

C:\Users\Admin\AppData\Roaming\37games\gamebox\option.ini

MD5 a3aed3f395c042f131a76390f74b3c9d
SHA1 d490a5319cbac06f8a06293f085e1c961a42dea6
SHA256 dcd6680bfd400614819793b8cae17f47e6dd91b228bbf89230f09a543be5d258
SHA512 c7f3a4c50982aa298fa634d30c874f510d124ba448a1251531d6ad50a0e0a3b783d63a5a90730d219ffbf5ef5c2a881bbc54217a5fed99a43985ea39ada05033