Malware Analysis Report

2024-08-06 11:41

Sample ID 240612-feblss1ejn
Target Seroxen.rar
SHA256 51a8255b49900d66ec1640d09f12c057b8d0a2e0dbc6e8dee2f61b959a52b2a0
Tags
agenttesla quasar seroxen keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51a8255b49900d66ec1640d09f12c057b8d0a2e0dbc6e8dee2f61b959a52b2a0

Threat Level: Known bad

The file Seroxen.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla quasar seroxen keylogger spyware stealer trojan

AgentTesla payload

Agenttesla family

Quasar RAT

Quasar family

AgentTesla

Quasar payload

AgentTesla payload

Executes dropped EXE

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:46

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

458s

Max time network

1178s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1164s

Max time network

1166s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.ProBuilder.KdTree.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.ProBuilder.KdTree.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

990s

Max time network

1175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.ProBuilder.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.ProBuilder.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240419-en

Max time kernel

1166s

Max time network

1169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Uni.bat N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\Documents\Uni.bat N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \Registry\User\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\NotificationData C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Uni.bat N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Uni.bat N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 2712 N/A C:\Users\Admin\Documents\Uni.bat C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3148 wrote to memory of 2712 N/A C:\Users\Admin\Documents\Uni.bat C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3148 wrote to memory of 2712 N/A C:\Users\Admin\Documents\Uni.bat C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3148 wrote to memory of 4684 N/A C:\Users\Admin\Documents\Uni.bat C:\Windows\SysWOW64\SCHTASKS.exe
PID 3148 wrote to memory of 4684 N/A C:\Users\Admin\Documents\Uni.bat C:\Windows\SysWOW64\SCHTASKS.exe
PID 3148 wrote to memory of 4684 N/A C:\Users\Admin\Documents\Uni.bat C:\Windows\SysWOW64\SCHTASKS.exe
PID 4504 wrote to memory of 4884 N/A C:\Users\Admin\Documents\Uni.bat C:\Windows\SysWOW64\SCHTASKS.exe
PID 4504 wrote to memory of 4884 N/A C:\Users\Admin\Documents\Uni.bat C:\Windows\SysWOW64\SCHTASKS.exe
PID 4504 wrote to memory of 4884 N/A C:\Users\Admin\Documents\Uni.bat C:\Windows\SysWOW64\SCHTASKS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe

"C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\Uni.bat

"C:\Users\Admin\Documents\Uni.bat"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni.bat" /tr "'C:\Users\Admin\Documents\Uni.bat'" /sc onlogon /rl HIGHEST

C:\Users\Admin\Documents\Uni.bat

"C:\Users\Admin\Documents\Uni.bat"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni.bat" /tr "'C:\Users\Admin\Documents\Uni.bat'" /sc onlogon /rl HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\Uni.bat"

Network

Country Destination Domain Proto
N/A 10.127.0.1:5351 udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:4782 tcp

Files

memory/4144-0-0x0000020A2F830000-0x0000020A2F984000-memory.dmp

memory/4144-1-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

memory/4144-2-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/4144-3-0x0000020A4A4D0000-0x0000020A4A6C6000-memory.dmp

memory/4144-4-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/4144-5-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

memory/4144-6-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/4144-7-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 18951ad4190ed728ba23e932e0c6e0db
SHA1 fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0
SHA256 66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915
SHA512 a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 ee87a5df2cec41353233851e9956d539
SHA1 cdd287b4be58f5ee3464c31c9f073daad13f2eb7
SHA256 2c25ce8141d1e6e601907a4d54f367ba7f6032c9596d24b30a245d94b719c880
SHA512 3afe8451239bbfa4c7cd6ad4e123d8558aba43a570998ef76834dd12b8b0266a4c9dc7bf57dd9a903208a029f3a0ae54822f1ba1d29414615bdcea963b062379

memory/4144-27-0x0000020A4EC70000-0x0000020A4EC80000-memory.dmp

memory/4144-28-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\settings.xml

MD5 ea1a03052a1310e3484568dc3062af6d
SHA1 611f6dcb83df20de995a6b73a3f9daa92fe6af4d
SHA256 3e339b0b721dc6969f9fb68c66c2ebd2e320a6b6ba70d253280019ef2ea7ca78
SHA512 a4c44100fa006a1212eff32fa0afb99d8e4672ba2708e7510bd8646131a3ea8fc8073adbbed24f81c4ebea00e86b15957418223d466d414e093c95c06ed6d3fd

C:\Users\Admin\AppData\Local\Temp\settings.xml

MD5 8f65a092bc59bb96fa687d489ee9103d
SHA1 8163ad573228c459235af4aa2dc904e030b7040d
SHA256 21f32201c7125cebf9850445420879d6df85b646552a17676e35d153f89d2cae
SHA512 9752112016e9ab460407823a09378c5b9c4d0ccd68075803ca6bbd168ed10fa64dd44603c7b6fa406d3e427947fbcc35497f1c287dfc3fd66d868930daaa7dfc

memory/4144-67-0x0000020A4FA50000-0x0000020A4FA6A000-memory.dmp

memory/4144-66-0x0000020A51AA0000-0x0000020A51AEC000-memory.dmp

C:\Users\Admin\Documents\Uni.bat

MD5 840b963600971bff36bb226df517dd1f
SHA1 7301ebd7d23c31f96144e2ad02f83ae77a0dd6a8
SHA256 1f50acfa8dea546674bd60e8c790c0bbc28ad0621fe276664ae791a2eec985c0
SHA512 379ef09b54bb6ffe2b5826c037888e5a1df7ded70ddae73fae77ba13120e185084ddacc206b1b9d4439269f031c0bc48969695ec0d6a458fb3fadd5f8458d7fa

memory/3148-71-0x00000000005D0000-0x000000000063C000-memory.dmp

memory/3148-72-0x00000000055F0000-0x0000000005B96000-memory.dmp

memory/3148-73-0x0000000005130000-0x00000000051C2000-memory.dmp

memory/3148-74-0x00000000051D0000-0x0000000005236000-memory.dmp

memory/3148-75-0x0000000005E20000-0x0000000005E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Profiles\Default.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Profiles\Default.xml

MD5 4405fbef8f1ac6ae77f7abcdae80be9b
SHA1 e5ed54dba4f77bafa6f06c9b87b3660ca53a28a7
SHA256 3af406913afef2e578ad38c363204ac0469151e4a951160f2d5d6bed72acbd25
SHA512 3093c797bd071b5d4fc61225c8fb279cffb05ae8fe55dbb232a9395e80e7c1937ae50b6da3b2fcd25ec465d33a886c61c29262661c4641f4fc0f77a014e9bd63

memory/2712-136-0x0000000006C30000-0x0000000006C3A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Uni.bat.log

MD5 c3c9120b62cd7f90edd5b6ac8b78b932
SHA1 0ed3c584e8c61216b86ddb5749b839a1338ec51c
SHA256 65c3ac0ff9eb9cfc8b680acff81aadf944913d1e3008a5e638bbfea8cf78f0d5
SHA512 0fd797e3b58b42b047891c1a77d5e3b4fc92e34357af745de1bf4e8a4a4c259d6a146fa8b9dc0afb91c80f9eb3c5be18765e156fd749041d25d9d16533f5a9d3

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1169s

Max time network

1173s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.ProBuilder.Poly2Tri.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.ProBuilder.Poly2Tri.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240611-en

Max time kernel

447s

Max time network

1166s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AudioModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AudioModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

1149s

Max time network

1151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Nat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Nat.dll,#1

Network

Country Destination Domain Proto
NL 20.103.156.88:443 tcp
NL 20.103.156.88:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

451s

Max time network

1174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Siticone.Desktop.UI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Siticone.Desktop.UI.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1175s

Max time network

1179s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Unify.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31112368" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "168445397" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 696 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1460 wrote to memory of 696 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Unify.exe.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Unify.exe.xml

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1460-6-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-5-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-10-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-9-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-11-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-15-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-19-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-20-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-18-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-17-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-16-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-14-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-13-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-12-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-8-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-7-0x00007FFDAE0A0000-0x00007FFDAE2A9000-memory.dmp

memory/1460-4-0x00007FFDAE143000-0x00007FFDAE144000-memory.dmp

memory/1460-3-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-1-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-2-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

memory/1460-0-0x00007FFD6E130000-0x00007FFD6E140000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1173s

Max time network

1175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AndroidJNIModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AndroidJNIModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240419-en

Max time kernel

1176s

Max time network

1177s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AnimationModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AnimationModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240508-en

Max time kernel

1170s

Max time network

1171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ClusterInputModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ClusterInputModule.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240611-en

Max time kernel

456s

Max time network

1179s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ClusterRendererModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ClusterRendererModule.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1177s

Max time network

1179s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Octokit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Octokit.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1168s

Max time network

1170s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1143247655" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31112359" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 2748 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 3708 wrote to memory of 2748 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe.xml

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3708-0-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-3-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-5-0x00007FFD3CFC3000-0x00007FFD3CFC4000-memory.dmp

memory/3708-6-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-4-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-2-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-7-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-1-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-9-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-8-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-12-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-11-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-10-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-14-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-13-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-18-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-19-0x00007FFD3CF20000-0x00007FFD3D129000-memory.dmp

memory/3708-15-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-17-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

memory/3708-16-0x00007FFCFCFB0000-0x00007FFCFCFC0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

447s

Max time network

1172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.Burst.Unsafe.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.Burst.Unsafe.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240508-en

Max time kernel

1174s

Max time network

1176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.DSPGraphModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.DSPGraphModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:10

Platform

win11-20240508-en

Max time kernel

1173s

Max time network

1182s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\settings.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31112356" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "4137876246" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 3628 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2320 wrote to memory of 3628 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\settings.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\settings.xml

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2320-0-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-1-0x00007FF9EA303000-0x00007FF9EA304000-memory.dmp

memory/2320-3-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-5-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-6-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-4-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-2-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-8-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-10-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-11-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-9-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-7-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-12-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-13-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-15-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-14-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-16-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

memory/2320-20-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-19-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-18-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-17-0x00007FF9AA2F0000-0x00007FF9AA300000-memory.dmp

memory/2320-21-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1168s

Max time network

1170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1162s

Max time network

1164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.Mathematics.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.Mathematics.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240611-en

Max time kernel

451s

Max time network

1170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.CrashReportingModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.CrashReportingModule.dll,#1

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

448s

Max time network

1172s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Octokit.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2087127349" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31112348" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 5060 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 760 wrote to memory of 5060 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Octokit.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Octokit.xml

Network

Files

memory/760-2-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-0-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-1-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-4-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-3-0x00007FFB7E1A3000-0x00007FFB7E1A4000-memory.dmp

memory/760-7-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-6-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-5-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-10-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-9-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-8-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-11-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-12-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-14-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-13-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-18-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-17-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-19-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

memory/760-16-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

memory/760-15-0x00007FFB3E190000-0x00007FFB3E1A0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1166s

Max time network

1176s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Profiles\Default.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31112330" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3196656068" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 5000 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 760 wrote to memory of 5000 N/A C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Profiles\Default.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Profiles\Default.xml

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

memory/760-0-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-2-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-4-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-3-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-5-0x00007FFB05903000-0x00007FFB05904000-memory.dmp

memory/760-1-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-7-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-6-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-8-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-10-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-12-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-11-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-14-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-16-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-17-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

memory/760-15-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-13-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

memory/760-9-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240508-en

Max time kernel

1166s

Max time network

1168s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AIModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AIModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

452s

Max time network

1174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ARModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ARModule.dll,#1

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

454s

Max time network

1175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AccessibilityModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AccessibilityModule.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.13:443 tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240611-en

Max time kernel

442s

Max time network

1168s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ClothModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ClothModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240508-en

Max time kernel

1158s

Max time network

1159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ContentLoadModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.ContentLoadModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240508-en

Max time kernel

1176s

Max time network

1178s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AssetBundleModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.AssetBundleModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

457s

Max time network

1176s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Seroxen.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Seroxen.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:07

Platform

win11-20240611-en

Max time kernel

453s

Max time network

1175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.Burst.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Unity.Burst.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-12 04:46

Reported

2024-06-12 05:09

Platform

win11-20240419-en

Max time kernel

1171s

Max time network

1172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.CoreModule.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UnityEngine.CoreModule.dll,#1

Network

Files

N/A