Malware Analysis Report

2025-01-18 02:20

Sample ID 240613-bpec8aselr
Target a354f1dec101798d15052fc10008f9f0_JaffaCakes118
SHA256 eb25a842053c71527656aaf759dd64d333ea0e66f0e237d716340ec5bdb073ab
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eb25a842053c71527656aaf759dd64d333ea0e66f0e237d716340ec5bdb073ab

Threat Level: Shows suspicious behavior

The file a354f1dec101798d15052fc10008f9f0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Loads dropped DLL

Maps connected drives based on registry

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:18

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe
PID 2320 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe" --GoAn --Supp 577 --Mode CheckInstall --Cid CC3E8F1A-9904-B842-9070-A70A7BBCF53F

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe" --InstSupp --Supp 577 --Ver 155

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe" --PreCheck 577 --Uid 485C42C5E42F764EA983C1249D4CDEB7 --Ver 155

Network

Country Destination Domain Proto
US 8.8.8.8:53 supp.gbot.uk.com udp
US 8.8.8.8:53 cdn.gbot.uk.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsr8ACC.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\RtHelp.exe

MD5 f652ea124a7544256e7eb97d879a4ab5
SHA1 0b4d50b0b8afadc8b1921311a11c2f35867f9851
SHA256 2149940c37938dd317c2b09d2a16d00535c493a8a8cfbe82d4b0c5ee1637759e
SHA512 d3f0a7adf58e816e9d0ea03dd528e472697fe65e64cc9ecc299de9cbf6d3d56915af059e2751219b6e9df3dd73e011314f325b221ea7b17e53ca09a1b3092c94

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\Modules\ManXec.dll

MD5 95cf944c390c06a45b7a455ebf340173
SHA1 ad2c1b92932a52c04ace29cb921bd06d1ca56e53
SHA256 3a6886badafbf4dad3da593097117e252475f3296c85071c53da51ccb7009a38
SHA512 9bc85c527741a90f554fe82d4735fdf003e1b0a7ca40404b763627ed1fe0fe489b2c0e603c3cd90a96120ebb242d718835733f1f3988629be4b0c516ac3229d6

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\MSVCR110.dll

MD5 4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 52693d4b5e0b55a929099b680348c3932f2c3c62
SHA256 b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA512 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\MSVCP110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\Modules\CmlProc.dll

MD5 beccdd9df8ec434c9e6eb78fa054363a
SHA1 f690c5eab1c1c39f84b19f3525114a2b3937cedb
SHA256 6f461ce8c1e47844ed11ec53e08d760fa9340a32b04af207a3976cc7f9dd6cef
SHA512 3a6586743f4129c641cb82886225179d218545aebf82546d07f791dbbe270ddb969040fd9a55ad5485678d881e3a3343be27a84ba412d401864edcc581c60f4d

C:\Users\Admin\AppData\Local\Temp\771D11AB-8A16-5746-82C5-855AC9FCCB2A\Modules\InSes.dll

MD5 7ad47a04c4bf17d6fec2cb25d6c3d58e
SHA1 3e89bb832ad06cf28b64dce60e657edfcc1cc387
SHA256 6837d7c7050bc16a35824de09c345b70365a5e7f3dff61ef496ddc03d889b39e
SHA512 1ff31b057a940e226e0791844db37d5cb00453814665f5110699987417163e8fc739573be9d8507d38a7c6d6bb1b46838466d7dcd064c8300dae07c212bdb3c1

C:\Users\Admin\AppData\Local\Temp\nsr8ACC.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/2320-128-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-129-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-127-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-126-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-125-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-123-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-118-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-116-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-112-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-108-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-106-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-101-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-99-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-93-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-88-0x00000000020B0000-0x00000000020BA000-memory.dmp

memory/2320-67-0x00000000020B0000-0x00000000020BA000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 308

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 600

Network

Country Destination Domain Proto
NL 52.111.243.31:443 tcp

Files

memory/4900-0-0x0000000010000000-0x000000001000A000-memory.dmp

memory/4900-1-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240611-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe
PID 2764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a354f1dec101798d15052fc10008f9f0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe" --GoAn --Supp 577 --Mode CheckInstall --Cid 5C78302E-B2AD-F74D-A0E2-6972D837426F

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe" --InstSupp --Supp 577 --Ver 155

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe" --PreCheck 577 --Uid F70EB7DE448E4945BB6F967C9E47937D --Ver 155

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe" --GoAn --Supp 577 --Mode StartInstall --Cid 1A48AE48-1D97-654B-9A7B-45CC621679CA

Network

Country Destination Domain Proto
GB 216.58.213.14:80 www.google-analytics.com tcp
US 8.8.8.8:53 supp.gbot.uk.com udp
US 54.153.56.183:80 supp.gbot.uk.com tcp
US 8.8.8.8:53 uk.com udp
US 54.153.56.183:443 uk.com tcp
US 8.8.8.8:53 cdn.gbot.uk.com udp
US 54.153.56.183:80 cdn.gbot.uk.com tcp
US 54.153.56.183:443 cdn.gbot.uk.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso64BD.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\RtHelp.exe

MD5 f652ea124a7544256e7eb97d879a4ab5
SHA1 0b4d50b0b8afadc8b1921311a11c2f35867f9851
SHA256 2149940c37938dd317c2b09d2a16d00535c493a8a8cfbe82d4b0c5ee1637759e
SHA512 d3f0a7adf58e816e9d0ea03dd528e472697fe65e64cc9ecc299de9cbf6d3d56915af059e2751219b6e9df3dd73e011314f325b221ea7b17e53ca09a1b3092c94

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\Modules\ManXec.dll

MD5 95cf944c390c06a45b7a455ebf340173
SHA1 ad2c1b92932a52c04ace29cb921bd06d1ca56e53
SHA256 3a6886badafbf4dad3da593097117e252475f3296c85071c53da51ccb7009a38
SHA512 9bc85c527741a90f554fe82d4735fdf003e1b0a7ca40404b763627ed1fe0fe489b2c0e603c3cd90a96120ebb242d718835733f1f3988629be4b0c516ac3229d6

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\MSVCP110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\MSVCR110.dll

MD5 4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 52693d4b5e0b55a929099b680348c3932f2c3c62
SHA256 b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA512 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\Modules\CmlProc.dll

MD5 beccdd9df8ec434c9e6eb78fa054363a
SHA1 f690c5eab1c1c39f84b19f3525114a2b3937cedb
SHA256 6f461ce8c1e47844ed11ec53e08d760fa9340a32b04af207a3976cc7f9dd6cef
SHA512 3a6586743f4129c641cb82886225179d218545aebf82546d07f791dbbe270ddb969040fd9a55ad5485678d881e3a3343be27a84ba412d401864edcc581c60f4d

C:\Users\Admin\AppData\Local\Temp\78E24BC5-A4FD-3D42-9C7B-6C45CB27B857\Modules\InSes.dll

MD5 7ad47a04c4bf17d6fec2cb25d6c3d58e
SHA1 3e89bb832ad06cf28b64dce60e657edfcc1cc387
SHA256 6837d7c7050bc16a35824de09c345b70365a5e7f3dff61ef496ddc03d889b39e
SHA512 1ff31b057a940e226e0791844db37d5cb00453814665f5110699987417163e8fc739573be9d8507d38a7c6d6bb1b46838466d7dcd064c8300dae07c212bdb3c1

\Users\Admin\AppData\Local\Temp\nso64BD.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/2764-102-0x0000000000570000-0x000000000057A000-memory.dmp

memory/2764-101-0x0000000000570000-0x000000000057A000-memory.dmp

memory/2764-100-0x0000000000570000-0x000000000057A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9821DD67A94463DFB9F3F00C073D3012

MD5 4dfd9ceab2ed28520b594b01d63a204d
SHA1 fdfc2578101678d1cbffef4425513d38a843a927
SHA256 a21178800df6101a562dd52aa36732e0379fe065d1b12ee914005fa6d2a51652
SHA512 d86f83a3957be3125d2fb366070f19166a1bef6494a5629eb7f181f51161cbebdc0f4b345ba53a6a5d43bcc48be657fb6919d3f37c62e8381232bfe1f9ae4a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9821DD67A94463DFB9F3F00C073D3012

MD5 143ae1ad1aa2bde53ac1d14c42422fb7
SHA1 69fe26111bc5f0a77b3a105b176db42a6ae02e6f
SHA256 66ce9f082e5262dbc66aa6635f646f1790a272e60768233e92409fc7eb1e9abc
SHA512 d0703b8b8a3b9cd863f6e4c1d8d56e5ac3bd52c2918209eaa80ad9d44e41e4c3b509794946c9edd87af75119c181fdc1a75c2285adfd7cbd59b4100ffab2918b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 af4b601ddb0b9e9c9fb36cff3a321d27
SHA1 e3058e8beb9da46493116ea68e395d0b1e3b00f6
SHA256 a5728de1613a7080b3fd152b67b23c5664ff425fcdacd512209e00463d59251b
SHA512 8b30833b3de24851e70506fbc5fbce3d1329b53793850f168a96dffd776b22cf98b8acc39dced47bb67ac6d9f37eeb82757888e2e509ee9a4a78ed8b838a471f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a899ba3804ef02015f893434a8bc8b7
SHA1 fe4a3208a04bfc7d60f223348bd9ef8f2a685a5f
SHA256 f2a92a5590ceb569227f22d9d8a2a3a9d2e49978eb7506d587aab3ad8d3e5f40
SHA512 6f1f3ba2ae84784a0f8768fa465f470f21b56f8be66156618df4774b9c8673eebc66e86462b99cb6bb1627cffd7ea744037768b5b99a0b9ae2be8faccee5507c

C:\Users\Admin\AppData\Local\Temp\Cab7BD4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Users\Admin\AppData\Local\Temp\nso64BD.tmp\nsDialogs.dll

MD5 dbdbf4017ff91c9de328697b5fd2e10a
SHA1 b597a5e9a8a0b252770933feed51169b5060a09f
SHA256 be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36
SHA512 3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

memory/2764-142-0x0000000000570000-0x000000000057A000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240220-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 224

Network

N/A

Files

memory/2808-0-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 1660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3768 wrote to memory of 1660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3768 wrote to memory of 1660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4092,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240508-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\CmlProc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240611-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2852 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240611-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Network

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4388 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4388 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240419-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellExecAsUser.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

114s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3012 -ip 3012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 13.107.42.16:443 tcp
US 13.107.42.16:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe

"C:\Users\Admin\AppData\Local\Temp\$_43_\RtHelp.exe"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240508-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\ManXec.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 220

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 4416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 4416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 4416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 4020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 800 wrote to memory of 4020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 800 wrote to memory of 4020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 612

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcp110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 244

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 3812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 376 wrote to memory of 3812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 376 wrote to memory of 3812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\Modules\InSes.dll,#1

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-13 01:18

Reported

2024-06-13 01:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_43_\msvcr110.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 600

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A