Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-qjcprsyalb
Target 9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118
SHA256 3635eeabd3ee2766f71d78f0630ad212708c1f40bf638fc63a73d2815b57e830
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3635eeabd3ee2766f71d78f0630ad212708c1f40bf638fc63a73d2815b57e830

Threat Level: Shows suspicious behavior

The file 9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 13:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3632 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3632 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 2780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2780-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2780-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1924 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

N/A

Files

memory/1116-2-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-1-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-25-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-24-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-23-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-22-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-21-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-20-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-19-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-3-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-18-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-17-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-16-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-15-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-14-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-13-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-12-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-11-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-10-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-9-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-8-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-7-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-6-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1116-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst9E73.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

C:\Users\Admin\AppData\Local\Temp\nst9E73.tmp\ioSpecial.ini

MD5 e4d431081a1138c404ce4dfb593e07ae
SHA1 5091c82f636b04834d93d514436bdffca95a23e6
SHA256 1d08fb336fecaa889d1d45ecb7e6947324227ede89273d5b126c30095d11798b
SHA512 ac8265574db83d4b75b514981d1861c867fafc2daf740f337093fb49a2d1d100efa5fcf17b0282ab65bfea60bab550fae09b332bd60042229ca555d82e5fbe0e

C:\Users\Admin\AppData\Local\Temp\nst9E73.tmp\ioSpecial.ini

MD5 d7c9d13e36118b74e953e566dee84ad8
SHA1 5c492c28cd91727ee5f0339336ff6a92245c8574
SHA256 92d6e99d4f8a887bc38e783673740d9f2f142c945bd51d6b16bc02a544916713
SHA512 a29395001dffde74a405d1c47a36920b51fc35216bd2f44ca5292156497dbd41e4785916c796888d7832f6866c5a6ccc1f1eb941c2c423b8fb1f36cafb6c676a

\Users\Admin\AppData\Local\Temp\nst9E73.tmp\InstallOptions.dll

MD5 d753362649aecd60ff434adf171a4e7f
SHA1 3b752ad064e06e21822c8958ae22e9a6bb8cf3d0
SHA256 8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
SHA512 41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\lq.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\lq.exe

"C:\Users\Admin\AppData\Local\Temp\lq.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 a.clickdata.37wan.com udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

MD5 3c03aa0a11686e0413a7f56b861972eb
SHA1 d291d59d8dab8d1fd0c7873a529def7dd05cc0db
SHA256 e613cbdca52993e08c6acbc750536b808f0e88024887867dc6cadf12aa9e93b1
SHA512 d002b3c02d6a65f49cf4aeb9ffd5ba1d75b6c5c2d1a2e31d8378d3b83e7950b64c8fd94af817806b7ba9f7850b836ea6602b67364c26d17a87e6f1c496f6a829

C:\Users\Admin\AppData\Local\Temp\nsj5D44.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/4380-10-0x0000000010000000-0x0000000010003000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj5D44.tmp\inetc.dll

MD5 50fdadda3e993688401f6f1108fabdb4
SHA1 04a9ae55d0fb726be49809582cea41d75bf22a9a
SHA256 6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512 e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

C:\Users\Admin\AppData\Local\Temp\config.ini

MD5 b6a477832c0b2970d35fa811dd137dc4
SHA1 9ba543be34bb54225f9110cd800db26283c56461
SHA256 da1ecd9afbea03ad48769f3812be703b1f3f1c213401fded9afbbfd401814636
SHA512 6c181827aad44b0773119230110c5e22fc2ca8790604b88312759e37cb66aa181e3deb3e94b91f7436e6dc7232e7a9f794cf8a7e6ceb5af5ccb32d2b62dece59

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 612

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4760 wrote to memory of 4888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4760 wrote to memory of 4888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 224

Network

N/A

Files

memory/2384-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2384-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lq.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\lq.exe

"C:\Users\Admin\AppData\Local\Temp\lq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp

Files

memory/2176-3-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/2176-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\lq.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2088 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2004 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\lq.exe
PID 2004 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\lq.exe
PID 2004 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\lq.exe
PID 2004 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\lq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\lq.exe

"C:\Users\Admin\AppData\Local\Temp\lq.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 174.35.118.62:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

MD5 3c03aa0a11686e0413a7f56b861972eb
SHA1 d291d59d8dab8d1fd0c7873a529def7dd05cc0db
SHA256 e613cbdca52993e08c6acbc750536b808f0e88024887867dc6cadf12aa9e93b1
SHA512 d002b3c02d6a65f49cf4aeb9ffd5ba1d75b6c5c2d1a2e31d8378d3b83e7950b64c8fd94af817806b7ba9f7850b836ea6602b67364c26d17a87e6f1c496f6a829

\Users\Admin\AppData\Local\Temp\nsy3303.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2004-12-0x0000000010000000-0x0000000010003000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy3303.tmp\inetc.dll

MD5 50fdadda3e993688401f6f1108fabdb4
SHA1 04a9ae55d0fb726be49809582cea41d75bf22a9a
SHA256 6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512 e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

C:\Users\Admin\AppData\Local\Temp\config.ini

MD5 f4553cbf4518de0387974425064c0dca
SHA1 7aba2ccda6c4dc2084e2d7e9bb9f0012023ad7d4
SHA256 71fcb99bb8b65d5d3fb7a5dfb09b93f7bee46b22434332c5fef74a2680c51b7b
SHA512 8b8ea5c2d07a639a77435012e4cf828745f35a1e83b2b7d330c98c10e5827ab0acd1ba005e3d02fbe1c8eb70b15aca70106c23d8488c4140b2e57967b760a667

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 3996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 3996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 3996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lq.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\lq.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\lq.exe

"C:\Users\Admin\AppData\Local\Temp\lq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp

Files

memory/1680-3-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/1680-4-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 224

Network

N/A

Files

memory/2456-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2456-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2456-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 248

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 248

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 220

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 4840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 4840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 4840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 224

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1580 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

N/A

Files

memory/1192-0-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-11-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-12-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-13-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-18-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-25-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-26-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-24-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-23-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-22-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-21-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-20-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-19-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-17-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-16-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-15-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-14-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-10-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-9-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-8-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-7-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-6-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-3-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-2-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1192-1-0x0000000002E00000-0x0000000002E01000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

99s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5712 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 3580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 3580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 3580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3580 -ip 3580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/2756-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2756-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 224

Network

N/A

Files

memory/1872-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/1872-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1872-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/2912-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2912-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240419-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 236

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9e4e62a0a066ac3a251b823def1ce4b0_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsuEA14.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

C:\Users\Admin\AppData\Local\Temp\nsuEA14.tmp\ioSpecial.ini

MD5 3c5018422bc44852ed504898460dba52
SHA1 2023e225de4ff192b5a4a18438edc777a31adb07
SHA256 ed39ef40004e01d1420b9ec49370fecc97d4be4ad6421ceb543414980304b893
SHA512 c1329a18d4718be38173de5d67082bf8831ea77340c6ee642c4126bf0d83495faf7b7bd761d44d8b293a20385130f15b267224f1cb35520dff8ed471fc2a6c2c

C:\Users\Admin\AppData\Local\Temp\nsuEA14.tmp\InstallOptions.dll

MD5 d753362649aecd60ff434adf171a4e7f
SHA1 3b752ad064e06e21822c8958ae22e9a6bb8cf3d0
SHA256 8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
SHA512 41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 224

Network

N/A

Files

memory/2116-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2116-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-11 13:17

Reported

2024-06-11 13:19

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4536 -ip 4536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4536-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4536-1-0x0000000010000000-0x0000000010003000-memory.dmp