Malware Analysis Report

2025-08-10 12:15

Sample ID 240610-1sgp7asfql
Target VirusShare_9e6e7284a23918b54a8c6b281c5dc760
SHA256 b1bcab6f7b710ddbcec0ff9ded71c0bc8b40c6dc89f833bbd58d8226a014b32f
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b1bcab6f7b710ddbcec0ff9ded71c0bc8b40c6dc89f833bbd58d8226a014b32f

Threat Level: Shows suspicious behavior

The file VirusShare_9e6e7284a23918b54a8c6b281c5dc760 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer Protected Mode Banner

Modifies Internet Explorer Protected Mode

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 21:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 21:54

Reported

2024-06-10 21:57

Platform

win7-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\PROGRA~3\\rundll32.exe C:\\PROGRA~3\\1v42.dat,FG00" C:\PROGRA~3\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\as98213.txt C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\1v42.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\PROGRA~3\24v1.pad C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\PROGRA~3\24v1.pad C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\PROGRA~3\24v1.bat C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\24v1.reg C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\rundll32.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\PROGRA~3\24v1.pad C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\24v1.js C:\PROGRA~3\rundll32.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\PROGRA~3\rundll32.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\PROGRA~3\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E78FB51-2774-11EF-A564-5267BFD3BAD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~3\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424218356" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1856 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2528 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2800 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2796 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2640 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2952 wrote to memory of 2596 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2796 wrote to memory of 2376 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2376 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2376 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2376 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2376 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2376 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\ctfmon.exe
PID 2376 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\ctfmon.exe
PID 2376 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\ctfmon.exe
PID 2796 wrote to memory of 2376 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2376 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#1

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\1v42.dat,FG00

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\1v42.dat,FG01

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\1v42.dat,FG02

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\1v42.dat,FG03

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\1v42.dat,FG04

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\1v42.dat,FG06

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2

C:\Windows\system32\ctfmon.exe

ctfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
RU 37.139.53.102:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
AT 66.197.215.165:80 tcp
US 8.8.8.8:53 whatwillber.com udp

Files

memory/1856-0-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1856-1-0x0000000000130000-0x000000000015B000-memory.dmp

\PROGRA~3\1v42.dat

MD5 9e6e7284a23918b54a8c6b281c5dc760
SHA1 5fa233c2ac8906e228cdb124baa6d5b5ce3a345f
SHA256 b1bcab6f7b710ddbcec0ff9ded71c0bc8b40c6dc89f833bbd58d8226a014b32f
SHA512 416c80b0ad9a37adc1f6bcddbf7398a6b9a24be0ee7056dd70610567559c56b32d77eb44ae1a87c62a9c5f3d5d73f7c63953f96a8aee6256e0cd4f2b39f99769

memory/1856-6-0x0000000000130000-0x000000000015E000-memory.dmp

\PROGRA~3\rundll32.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2952-16-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2952-17-0x0000000000260000-0x000000000028B000-memory.dmp

memory/1856-39-0x0000000000240000-0x000000000026E000-memory.dmp

memory/2952-42-0x0000000000260000-0x000000000028E000-memory.dmp

memory/2640-43-0x00000000001B0000-0x00000000001DE000-memory.dmp

memory/2596-44-0x0000000000170000-0x000000000019E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab758F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar76A1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28a7611317af252708b60b941b43e83e
SHA1 638da7fd788f2d80464740b9e433062b0ecbc3f0
SHA256 ff0e043822baceb7e93f99960524eca08acd574594158d92eef4f18be55b29e6
SHA512 cf9e83683dcf90d5e8078d31e37de3cea7031364921d80259fab994f345cb739afe20b9a5188764e2201f57fe0d9efc2e052d4fe0b739217d596f47b8a4840e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7de100c37db4450b011dfa476752204c
SHA1 0c5c7811d5ca220f42d8202567848507360f0e7d
SHA256 7bcd6f43ef78fa952afa88e71690adcf06ecd2a3f10be832654398a0be90b680
SHA512 88623d6565300fd41d8559ee28653fe746099f55f99728b1688ca532d1dbdb3ebe757a0f1e26d6b2c360cd4a76cf9520ef79cd4bf5ea231eccc4b38f84e090ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ca9667a795811e3d98b388b98fdd766
SHA1 4e4ed15eb681b7e904a834778e46034a5226e973
SHA256 bd724bb654a21090d7b79ad6caf68e22355959e2e4b69f13ba1fd3540057d230
SHA512 6a742f6144670cf05343ac48a7cebadc95efa1afb62d26d48d8d6917020557e933da1e31cf62db255d3b3baf81640c818f144a275bb6a17ea26acada6e7f30c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09dbec0dfa8be8549c8a8ec7fb487a4b
SHA1 ca51d40f203acace9d35137cc155c1d470ecba40
SHA256 bf41d5854edc809199943cc709d2b24f9e2a70c70f84028123716c2e15f9b6e8
SHA512 eb33789c395359680d19e80a9cb94581049649a795191cd11b93066929e71884272013dc8494749b412c04736e01230d2ef7bb74b5c9110df4f927cb9b9e1db4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 524b8d6d60de454c15aa1911dfdc1fc3
SHA1 1ee2826ea04bf6a7aa1a5b5f87d5b171ba92d190
SHA256 cf00293eda702aa9903cde0ce2707c11cc7a3c27ac9eceb440e411e909e1ad37
SHA512 8886d72a9809dfdf92e9d2a743ca4f23dcbc740f3ea2bdfa9b15c9816ec36a8abcc0de7c71f9e3ac87527d2a0d4939e74528990e82e23d959db8b45fa740c90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b410808c6933c60c451b6a7d949704f0
SHA1 81753036fd0857f9f32f4391a0fa23f132c0e6b8
SHA256 97739bcae69394700ee106a19e93c9b1c59fdd4530a9592638c8e1704a8f7009
SHA512 f182b834e263e123bdf7993e87ff3754eaf87dd7d64475a8de163666f970ac6eb05f3c6f3db09a059495ef38c380b55c3efb10c4bc6ce227858d836c08adb5bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11c2a8aee904404c741f1893d2c5e594
SHA1 fd37b569573fd4342f1311a2ee5b109fade72440
SHA256 f9c07d718aad08c79eb2f65f7ee7978885878a3bdb0baf127192ca3f8d4eacca
SHA512 5d987d0665c8c8e56b864a7227ddac308e467e07b617fef06c8f974a2dbdbb45ee2402c008a2fad369be2b09385fb8bd2083e714301de8adc8bf42706c2c5728

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6f20c19a15c2fc934586b9b76c2c289
SHA1 efcad9570fe87a9298a76075e0ab915cc9aa7071
SHA256 80d7e736bc3ef8ccabcb1ffb7a4d7659a129f1068fea38ec3d3da4660f0654e3
SHA512 b8a407c36a81c2665642b0dc8282880e8909d5085cec38120718e932a38e98040fa90b01736505beba25f033f6e3eb8f74743631efc98f232539ff30a7ee0793

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 314451eac049f0a229453b8fccfd407f
SHA1 31725590f2ad8d2f4cf9d7ed78d6c788b9af413b
SHA256 357155bc57f66a020b2653d5d85d7b4bbedbb8f9ccf4cc88ebf2dd9e446a427e
SHA512 0f30ddb9e92d3bf0dc6c45a5da45871a4545df059241ff0bd8bd4b463f559509064783eba87e7439a71d039bffa9f323f67c18d357001c38e071973f68d6d658

memory/1856-522-0x0000000000130000-0x000000000015B000-memory.dmp

memory/1856-521-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2952-528-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2952-529-0x0000000000260000-0x000000000028B000-memory.dmp

memory/2640-536-0x00000000001B0000-0x00000000001DE000-memory.dmp

memory/2596-547-0x0000000000170000-0x000000000019E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 960a40c6c19b5612ea1ad6a2ae254395
SHA1 e45aaa9478c9cf5ccc3abcb77b1346b80592a0dc
SHA256 5ad883197a59ba14d078e67df4596c1fa36a0087c99eb918c506c42b0f4b3df3
SHA512 2f9dfc1c5ebcfa40c88aac1393bbbc039f1cbfdb02c16e54681e04a3d8753f206afcd5fc0ac0ff1ae21a6d884d61da95d3cdf4c122cbcd72a8b904d594e88c26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6f91ccd27fb248f94489cb57f57b84d
SHA1 2075d6c007eb35780fd9161de2ec115211a1d484
SHA256 85c54e3973367bb12717acccfcee5d5ac52f29194478cada15e0e0cae6d3eac7
SHA512 804c523d0bb55632a3d1ee4fea07c9ab759f80da24f2c12fefac835442b2f8539560f114a393da57befb05cfa0f8542b436e2018a74f4c56e2f7bb3fec2c61ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63935fad364558ea21e47e1ee0c012eb
SHA1 5ff1d2ddf6c25d6fcc7ef00f54df1781863b395c
SHA256 54c61da684c621a9bb93867e930f458e7c279e2aca3570cf98ee89d358f7b9b4
SHA512 49c78d18936d49748fd57df4c1ba1eeca94412700f8dc6c21ff34a9ef3a84fa7e843fc48c449f06f664cf1127af1a3e528f0d85f6ee7df78227298f322bea86c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08d9c72270c8c032efd04845acead260
SHA1 c8110f29869e2caba763e961020f56c93534cd6d
SHA256 bf79ec97d9175ff773c612da2b7efe97c3e684d340b58985ab17c5a49ccfd78d
SHA512 d6845e70b5a040ab123967cda0216a2902be49fb93270c6930e1e699571b2717c2df35933c0032d20bc7d9307eb54ede1b080fd1fc1bdbe62d6bb8185f32d7a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf0ab55ca2959fa61dae036ca43ed697
SHA1 4255f587407a5128cfcda78cc62ea3dc7f1093f0
SHA256 96308bb3e609877957e7caf4079ef41655526ade4672e57313a57858c3c91c5d
SHA512 b27436954a43a7d40cf8dd803f7bd37ff29f25c8133b4fbc22dde0a58ff519bca4ad959812ef5cc4dfa1ad0c82cd77d2fea1a57f84c1661c20819856e0f3993e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9497a57e8de20ca91b89fdc2d3cf851
SHA1 8457a82d998d4dbe7b42d10f3da1758a9874cae1
SHA256 514146c6e0d652d0135e8e0d569f86318a279c9ad855a650d754cc17c4bd1023
SHA512 4f596e677fb4940ca05b43781cdca02bdeb72ea667a573fe74dd4992f3554e21df4281fa8ab4dd591506897af26bdd4b9e23677ec4b5fa891380e434bd7bec93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b21125e1b620b7917c4126ab6bd933f
SHA1 d1e4e446deb64f202903dceecd3190b563bca3d0
SHA256 ba2634d26efc9f143e786f72cc7ed1f54e6a4e59e3a88ef74dce9c54212da7e4
SHA512 40148e3c13ff0f4af97f2c0cf771bf35d6bc98457e86e707e8c0302239ffb9638d00c196da8d5d56fd3802a2d4fd717862220eaabf3cf8306327edab4f0a3de2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0144fe69379e09003f2547e40f87d2f1
SHA1 a43467796627e154b9d9bedcdd8e6ce43cbdbdab
SHA256 52192940fa9c5e0dbec1050f78f5f358a4d537d4830ecf8203f797d5975ff1e9
SHA512 123d15499379bcf71075bb0ed66565d4700097d9f816d067186c3f6cfd133aa1340f9684ee1a4ff0f3c410b23f0155d32104094ff92469e577b244bae9fed93d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11d0fd75c1c8d339f9bab1eedf411e25
SHA1 360c9d4aaba59a0e44eb90d755e81dfae0c80aa2
SHA256 285965dec995eb4150c2009834557c0877f796c210e6d1a3585e077899af1b3c
SHA512 408fcdc3fe4b5582c474988312bd65239ba4c82699e7bd5f2c63c3b08076b1428503b82b38c2491195e4e3618e60859691dbf840b59f6fb0f8b4c9665b720dac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d54e217a841386fc835d8a8fe2bafaf1
SHA1 0e2a7989e863e288d2ac5d33e5ce5a53b74e9460
SHA256 ada6f2abf967a58ea7fc63c92fce9ed72082893947fbd4271e81baa8f8d57f71
SHA512 29753ce9f483d715daec57aef9383382ddf6ab1434a2823a007202272aebaa202af70b26c1abedbd597cbb07ea2fee7a1a433425133757e048bcb4497083ec89

memory/2596-1037-0x0000000000170000-0x000000000019E000-memory.dmp

memory/2596-1047-0x0000000000170000-0x000000000019E000-memory.dmp

memory/2596-1052-0x0000000000170000-0x000000000019E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 21:54

Reported

2024-06-10 21:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A
N/A N/A C:\PROGRA~3\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\PROGRA~3\\rundll32.exe C:\\PROGRA~3\\jedgto.dat,FG00" C:\PROGRA~3\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\rundll32.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\PROGRA~3\jedgto.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\PROGRA~3\otgdej.pad C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\PROGRA~3\otgdej.js C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\otgdej.pad C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\PROGRA~3\as98213.txt C:\PROGRA~3\rundll32.exe N/A
File opened for modification C:\PROGRA~3\otgdej.pad C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\otgdej.bat C:\PROGRA~3\rundll32.exe N/A
File created C:\PROGRA~3\otgdej.reg C:\PROGRA~3\rundll32.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\PROGRA~3\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\PROGRA~3\rundll32.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\PROGRA~3\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~3\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{150579FE-2774-11EF-BCA5-527CD1CC5F27} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424218378" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4912 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 4912 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 4912 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 1316 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 1316 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 1316 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 3712 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 3712 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 3712 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 1820 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 1820 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 1820 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 3600 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 3600 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 3600 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 400 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 400 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 2688 wrote to memory of 400 N/A C:\PROGRA~3\rundll32.exe C:\PROGRA~3\rundll32.exe
PID 1820 wrote to memory of 4828 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1820 wrote to memory of 4828 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4828 wrote to memory of 4504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4828 wrote to memory of 4504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4828 wrote to memory of 4504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1820 wrote to memory of 4828 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1820 wrote to memory of 4828 N/A C:\PROGRA~3\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#1

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG00

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG01

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG02

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG03

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG04

C:\PROGRA~3\rundll32.exe

C:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG06

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4828 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
RU 37.139.53.102:80 tcp
AT 66.197.215.165:80 tcp
US 8.8.8.8:53 whatwillber.com udp

Files

memory/4912-1-0x0000000002A30000-0x0000000002A5B000-memory.dmp

memory/4912-0-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

C:\ProgramData\jedgto.dat

MD5 9e6e7284a23918b54a8c6b281c5dc760
SHA1 5fa233c2ac8906e228cdb124baa6d5b5ce3a345f
SHA256 b1bcab6f7b710ddbcec0ff9ded71c0bc8b40c6dc89f833bbd58d8226a014b32f
SHA512 416c80b0ad9a37adc1f6bcddbf7398a6b9a24be0ee7056dd70610567559c56b32d77eb44ae1a87c62a9c5f3d5d73f7c63953f96a8aee6256e0cd4f2b39f99769

memory/4912-9-0x0000000002A30000-0x0000000002A5E000-memory.dmp

C:\ProgramData\rundll32.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/2688-19-0x0000000002340000-0x000000000236B000-memory.dmp

memory/2688-18-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2688-42-0x0000000002340000-0x000000000236E000-memory.dmp

memory/4912-41-0x00000000030E0000-0x000000000310E000-memory.dmp

memory/1316-45-0x0000000000800000-0x000000000082E000-memory.dmp

memory/400-49-0x0000000001070000-0x000000000109E000-memory.dmp

memory/3600-48-0x0000000000C80000-0x0000000000CAE000-memory.dmp

memory/1820-47-0x0000000000E80000-0x0000000000EAE000-memory.dmp

memory/3712-46-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

memory/4912-53-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/4912-54-0x0000000002A30000-0x0000000002A5B000-memory.dmp

memory/3600-57-0x0000000000C80000-0x0000000000CAE000-memory.dmp

memory/400-58-0x0000000001070000-0x000000000109E000-memory.dmp

memory/2688-61-0x0000000002340000-0x000000000236B000-memory.dmp

memory/2688-60-0x0000000000910000-0x0000000000911000-memory.dmp

memory/3600-74-0x0000000000C80000-0x0000000000CAE000-memory.dmp

memory/400-83-0x0000000001070000-0x000000000109E000-memory.dmp

memory/400-95-0x0000000001070000-0x000000000109E000-memory.dmp

memory/400-103-0x0000000001070000-0x000000000109E000-memory.dmp